Seems that we in the security industry can't get away from fighting fires. Talk to most security professionals and they’ll tell you that daily, they are ensconced in either fire fighting or incident response projects to figure out what happened. The great thing is that you can feel highly valuable - you are right out straight working your butt off finding and fixing vulnerabilities. On the other hand, I am sure the gang at Target and Home Depot had also been out finding and fixing things, but that didn’t work out too well, did it? Interesting, too, that most incidents we read about were organizations that were PCI compliant, which gets management wrapped around the axle, thinking they were doing their job. But that's for another post.
Most security professionals I talk to admit that they would welcome the chance to figure out proactively how their organizations can be compromised before they get whacked. That's why events like Blackhat, DEF CON, and Derbycon are booming, as security pros flock to these events to understand what and where they should be looking for risk. These events provide a much needed opportunity to get away from the firehouse to look at what is really happening and how advanced the bad guys are. “Think like an attacker” is the operative phrase. It is even more relevant today than 15 years ago when I got into the info security business. In my view, the attackers are 100 times more dangerous now than then with the ability and know-how to cause catastrophic damage to businesses and even lives.
That's why you need a strategy that is proactive rather than reactive. Being compliant is like standing still. The enemy loves targets that don't move!
These events showcase what the bad guys can do to you and how standards like PCI-DSS are not enough to protect your organization.
The good news is that there are tools showcased at these events that can actually can help you see the enemy before he strikes. And they are likely products you don't have today.
I recently met a former security fire fighter finally assigned to look for the enemy rather than react or firefight. He welcomed the change from fire fighting after many years of doing so and found that he could help his company find risks that audits, forensics and firefighting would never reveal. I asked: how did his company justify the position?
He indicated that the company realized that firefighting was akin to shoveling sand against the tide. It was expensive and only served to create a mentality of sustaining jobs to fight fires, as opposed to actually changing the game. Now, this guy has his dream job. He is loving it because he is finding things that you can't see fighting fires. He is free of the mundane (and thankless!) tasks of finding and fixing, and super energized by the work. He is also likely more loyal to the company giving him an opportunity he values. Good for them.
So ask yourself and your team: are you just shoveling sand against the tide? Can you budget or propose budget for research, testing, social engineering and show the organization what can go wrong before it does? I guarantee that you will find things far more illuminating to management; things that will help them see the value of investing in proactive practices and products that will find the enemy before they find you. And you will be in a dream job, working smarter and providing huge value to your organization.