Divided We Fall

Security collaboration in a fragmented industry

Today marks the end of an interesting week for information security in New Zealand.

For the most part it was like any other. Issues have been identified with systems, some publicly, some privately. Talks have been given, governance frameworks polished and auditors have been diligently practicing their craft as organisations continue the road to compliance. People from all parts of our organisations continued to fight the good fight and try to do something to secure our people, informations and systems.

What stands out however is a set of emerging events and climates that will start to shape how New Zealand finally faces it’s combined information security risk. It started with a summit.

The Connect Smart Cyber Security Summit was held this week in Auckland. This invite only event claimed a high profile group of politicians and industry figures to discuss security at the highest level of our organisations. With an invited audience of CEOs and board members, it aimed to reach out and vitalise the seniors to drive security through their organisation.

The event announced the formation of a national CERT for the country and funding to ensure it can run for 4 years. (Something the NZITF have been working hard towards and pushing for over many years).

This is all positive.

This is all worrying.

We talk of collaboration

The concern from this event and others happening nationally is that we as a community are fractured.

Unless you were a sponsor of the Cyber Security summit this week, senior security leaders were not invited to the event, nor was it live streamed or the outcomes shared in an organised fashion (I don’t count press releases).

This should concern us all

While senior buy-in and support for the growing problems we face in the security space is crucial, they are reliant on the next layer down, the senior security leaders to implement and action their strategies. This layer of management are not just tools to be deployed, they are often providing an additional layer of contextual, technical or standards based knowledge that ensures the CEO and board are equiped to make appropriate decisions based on the risk for their organisation and specific circumstances.

I know this because I am one of these people.

Whether you consider be biased as a vendor or not (I run a small boutique security consultancy), myself and my team are the virtual security leaders for a number of high profile companies both in New Zealand and abroad.

We sit in executive and senior leadership roles that cannot otherwise be filled from the market and help keep these organisations safe until they can find a more permanent candidate.

This isn’t a gimmick or a sales pitch

This is a skills crisis (and one I have been talking about in New Zealand now for 4 years). At the time of writing this I am aware of 16 senior security leadership roles available in Auckland alone. This is a continuous state for security recruitment.

People like me, people from around the security community would have found value in this summit. Even if we couldn’t attend in person (we all appreciate time, money and space are finite), a live stream or notes from the talks would have been a step towards an inclusive collaborative community and away from the fragmentation and isolation we see now.

This isn’t just about the summit though.

We are a community divided

We have around 300 security professionals nationally who support our public and private sectors in a number of ways.

• Breakers (penetration testers and vulnerability researchers)
• Builders (application security specialists and security engineers)
• Advisors (compliance, governance, survival)
• Responders (forensics, incident response and investigators)
• Defenders (analysts, operations centres, systems administrators)
• Leaders (The C suite and the board, CISOs)

The range of skills and abilities needed across these roles is huge. As a field we vary from the deepest technical professionals to wide scoped generalists that need to understand technology, risk and business strategy (whilst dealing with a naturally scary subject).

Despite a publicly acknowledged need to collaborate, we continue to work separately from each other. Our conferences and talks fail to tackle the over-arching question of ‘how on earth are we going to work together to do this’.

We need to play nicely together

• Our defenders don’t use the work of breakers to build new defensive tools.
• Our advisors are not working with our engineers to understand how the technology is changing and what that means for us.
• Our responders and defenders are often left bewildered by audit and compliance that lacks clear relevance to their experiences of the risk our organisations are really facing.
• Our public sectors and private sectors barely cross paths outside of Wellington.

A space to specialise, a space to collaborate

I am proposing we make an effort to change this.

We need to learn to communicate in our own space as well as speaking out into other communities.

This will require all sections of the community (including the government) to come to the table as equals. This includes security professionals and those people in our organisation who are trying to make security work from another role.

Keep what we have but build something new

Let’s keep the specialist events that help our niche groups go deep and keep their skills and approaches relevant to our changing landscape. Events like Kiwicon have provided not just world class education and knowledge sharing for our breaker community, but also provided outreach and education to bring new people to our industry.

There will also always be a need for specialist senior level events to support their unique challenges.

I think we need a third space

A place that bridges our factions and brings us together with a practice focus.

Low on the vendor pitch, high on collaboration. Celebrating our complimentary skills and learning from each other rather than maintaining the adversarial status quo.

Expressions of Interest — Future of Security

I’m not really much for crying about spilled milk and not reaching for the cloth to wipe up the mess. This isn’t my problem to solve alone though and I won’t pretend to try.

We need to do this together.

I don’t know the format or location. I don’t have a line up in mind or an agenda. I don’t speak as a vendor but as a concerned security leader and member of the New Zealand security community.

I am willing to put my time and a little money to make this happen in 2017.

Will you?

Email: laura@safestack.io and let’s get this started.