You don’t go into cybersecurity to make friends

Stories about how I've come to embrace security's role as the "bad cops" in enterprises. My secret? Staying grounded in security's core purpose, which is to defend best practices and integrity.

You don’t go into cybersecurity to make friends

“If I wanted to make friends I wouldn’t work in security”, he yelled, smashing the phone on his desk. He put his jacket back on and stormed off while I looked toward my other colleague, blushing, scuffling.

My architect had argued about self-signed certificates with an infrastructure engineer. The heat shot up because security folks were made to look like zealots - once more.

This is the nature of our jobs.

We are not bringing in direct customers. We are adding friction. We are not cheap.

We can also make people uncomfortable. We see their mess. We hold people accountable for their legacy software and technical debt.

This is a feature, not a bug.

This week, I’ll show you why you should embrace our position as “the bad cops” in enterprise information systems.

More importantly, drawing from my experience, I’ll tell you how to maintain strong business relationships despite being such annoying folks.


Security carries a lot of weight

Every bad project has its own story. When my colleague exploded on the phone, we were stuck with a rotten apple. A big-shot consultant had convinced the business that they needed some mouse-recording type of software to automate redundant tasks.

The problem? Developers hated it. The low-code interface didn't offer debug tools. There was no separate development environment. It did not integrate with version history, nor with code repositories.

Security got involved because the mouse recorder needed a database and access to systems.

We spent a few weeks in the crossfire between the developers and business users. I remember one meeting we had with developers one day: they laid out all the awful development tools that the mouse recorder offered. "This is a security risk, right? You can pull the plug on this thing, can't you?"

My colleague declined, telling them this was not his war to fight.

I agreed back then. Today, looking back, I don't. See, my friend's rationale for not getting involved was that these issues weren't going to lead to hackers infiltrating the network. Nowadays, I have expanded my view.

Security doesn't mean preventing breaches. Security is about advocating for doing things right. We are the angels on people's shoulders, whispering to them that they should follow best practices.

The developers who support a business unit want to keep their relationships as enablers. Many people in security try to fend off their reputation as "the ones saying no". I get that.

Yet, now that I'm older, I'm fine with taking one for the team. If you believe the cause is right, then go for it, regardless of whether it's "security" or not! Software development must follow clear processes; version control is mandatory; testing must happen! Security vulnerability grows into these interstices of laziness!

Here's how I used my "security veto" in that vein...


Security can inform spending

I've become a third-party risk management specialist over the years; I culminated well over 400 security assessments. Name an app, I've audited it. I've read their doc, both public and confidential. I've come to understand their place in business ecosystems.

Why would I keep all that knowledge solely for the sake of "security"? I've come to question even the business needs for purchasing software. Do you really need another project management app?

Every software purchase increases the attack surface. The more assets we have, the more I must monitor for misconfiguration. In the cloud, this means another identity I must protect.

When I see a landing page tool that does not offer version history, a content management system that has weak TLS ciphers, or a chatbot with bad defaults, I am happy to lead the way in tough discussions.

"Security doesn't want this" is bad for our image, yes. But what I've come to find is that sloppy security correlates with sloppy service, and sloppy software in general.

We have the chance, as security specialists, to know apps from a horizontal perspective. We care about databases, networks, configurations, and data lifecycle. We must share these insights internally. It's our duty to show courage.

And that also means we force spending...


The security tax

The SSO Wall of Shame collects apps that charge ridiculous fees (double, triple) for single sign-on (SSO). SSO allows organizations to rely on their own identity provider to authenticate users. In other words, with SSO, you don't manage passwords. This is a big plus because:

  • Passwords are the primary attack target (password spraying, credential stuffing, and brute force attacks);
  • You simply have to cut SSO access to a terminated employee, instead of removing them from any individual app;
  • Forgotten passwords are responsible for way too many IT tickets.

The absence of SSO is a big security risk. However, what I found out while advocating for SSO is that, often, it comes with a slew of enterprise features that, down the line, benefit the business.

This is the most salient example, but unfortunately, many advanced security features are only available on enterprise plans. Sometimes, security is what's needed to put the business "over the hump" in order to commit to a higher paid plan.

I'd rather live in a world where SSO was free. That said, I've come to find that my security assessments can help build a business case to have a more complete feature set of software. Better feature coverage also means, down the line, potentially fewer different apps to secure.


How not to get bypassed?

My argument is that security stands for something bigger than quarterly objectives and day-to-day politics. We can afford to be the "bad people" because we see our duty as an infinite march towards improvement. As long as people recognize our purpose, they will seek our advice.

When we fear-monger, we are not relevant. Especially since, most of the time, the dreaded breaches don't happen.

Feel free to disagree. I understand how frustrating it can become to act as a "shield" whereas IT directors or engineering managers get to look "cool". Would I prefer if they stood up for the same principles as I do when the heat goes up? Sure! And guess what... it does happen! I've seen managers take my arguments and run with them, knowing that if push comes to shove I would back them with relevant insights and data.

Remember one thing: if a company pays you to be a security advisor, it means that deep down it cares about security. Be that voice.