Rolling With The Breaches

Guest post from Pete Herzog, co-founder of the Institute for Security and Open Methodologies (ISECOM).

It’s likely that you’re going to one day be the blame for a large-scale advanced persistent threat type of breach at your company. So to get you ready, here’s a helpful tip for you: Don’t. Don’t be the person all fingers point to. Run away now. But if you can’t and it does happen, here’s an excerpt from an actual memo that showed up in Wikileaks that so many C-levels today subscribe to in order to come out on top after a breach:

Never in history have you been more likely to be a cyber victim than now. I’m not
gonna lie to you, it can suck. Even worse if you’re in charge of cybersecurity. I’ll
give you an idea on how much suck it will be. First, it’ll be in the news. You’d think
you would like the attention you get with many more Insta followers and all that, but
up until now you’ve likely not been cyber shamed which is another thing entirely you
never want to live through. Yes, it’ll happen. It will. It’s not just that cyber mobs are
gonna castigate you for being a victim, you’re probably gonna get fired too. So
let that sink in. The world is no longer a rosy place for the C-level security personnel.

You need see the positive though. A breach on your watch isn’t the fastest way
down the job ladder. It’s a job booster! You know how many C-level Sec-Ops have
never experienced a breach? Dozens! You’ll have unique experience and firms are
gonna want you just for that really expensive lesson you just learned. You can now
run their security with their full confidence that you can survive a breach. And it’s
around this deep consideration that you will shine, or at least survive the next breach
and so, maybe, will they. Or at least they’ll have time to cash out some stocks and
desert the company before things get too bad. That’ll make you like a hero. It shows
you are a valuable contributor to the company, especially the board part of it. They’ll
never let you go with that kind of team effort! But surviving that first breach is not
gonna be easy so plan for it now. Have your contingencies ready. Be prepared.

Make your bed to lie in, my mom always said. That’s not just some good advice for
you but really should be your main tactic. As a C-level you can’t go somewhere and
cry when the hammer falls. But you can make someone else cry. And fire them too.

Never admit to actual wrong-doing while you point out the failures and if they’re
gonna try to blame you, have any number of people in different departments that’ll
say it was one of the Linux admins who missed a patch. Or a vendor! That’s an easy
goodbye! Vendors are known for their contributions to breaches and the best is you’ll
never have to face them for it if you blame the right one, like those in HVAC! They’re
gonna have explaining to do! But not to you since you don’t do HVAC contracts!

Tell me you get it now. I know you’re seeing this my way. A breach is inevitable so it’s
a wise person who prepares for survival. Security isn’t about prevention, it’s about the
lie that you tell yourself and the lies you tell others to feel good, feel secure.

And if you think that’s a horrible idea then ask yourself what a risk strategy is. You
hurt the weak so the strong can thrive. And in this risk scenario, who is the strong?
You. You are. And if you don’t protect you, how can you keep protecting others?

If you take that advice you are certain to be as teflon as the other C-levels today. You see, it’s not cybersecurity advice, it’s how to be an ass advice. Unfortunately we are seeing more and more of this kind of behavior at companies. They lose our data, our information, and inconvenience the hell out of us and then act like pointing fingers around and making us give them more info about us so they can sign us up to one third of a crappy credit freeze is solving the problem.

It’s like a big joke to them. It’s like they’re pranking us. And if you want to know how that turns out, study that memo again and you’ll see for yourself.