BSidesPGH 2024 Track 2 Alex Hamerstone Why You May Not Need a Security Team

morning everybody uh it's excited to be here at bides it's always great to be the first talk of the day because it will be the best talk you've heard yet today uh unless you've been watching some old Talks on YouTube or something um at 10:01 that probably won't be true uh so this presentation is something I've been working on for a while um it's not the same exact same presentation I've given before but it's it's similar in concept and the title is obviously why you don't need to security team and of course what does that mean and part of it is to be honest with you it's just provocative it gets people going right like Blades of Glory um but perhaps a

better title is kind of rethinking security teams and what they look like and you know one of the things I give a lot of presentations is I think a lot about presentations and a lot of the feedback comes down to people's introductions are are kind of terrible because they talk about themselves a lot so I always think about the intro being is why should I listen to that person standing up there and for me it's that I work for a company called trusted SEC I've been there about 11 years uh prior to that I worked at a software startup before that did security Consulting as well but what I do every day is work with

organizations uh really from Soul providers ships the fortune 10 to assess and build Information Security Programs so I just see a lot right I think they said they sold over a thousand tickets so I'd say they're probably at least 900 people here that are smarter than I am but I've seen just many different things and many programs uh I love this slide because how often do you see the front and the back of someone's head right it's pretty rare maybe certain uh changing rooms at Macy's or certain medicine cabinets that may happen um and also staff who I work with is also here she's based in Pittsburgh but really to start with the conclusion I read this whole thing that

with presentations you should start with the conclusion and then kind of work your way to it um but my view is not that we shouldn't have security teams or that desktop support should be running pent tests it's just that so many of the things that we traditionally think of as security functions can also be distributed across the general it um function with support from governance and Direction uh so it really ens shorted fewer security people and more people doing security so this is something that I see quite often uh at organizations uh when you talk to people that are in it roles are getting really smart with security they're doing a lot of the security functions and roles um

and additionally I know this is really unpopular uh people get mad at me when I say this but just based on what I'm seeing I think you know future cisos are more likely to be a lawyer or an MBA um than somebody that that has been a hacker and that's based on a number of things I'll talk about don't hate me yet um it's fine to uh be annoyed about that but I think once we talk through it it's going to make some more sense so with that being said that's the gist of my presentation right sorry right so no laughter so I know what the audience is that's good but you know but really

that's fundamentally my point um you know that that much of what we think of as security functions can be distributed across the organization and that in the future you know just given how much compliance and contractual and business issues we face in security uh that likely in the future is going to move that direction so if the track one seem more interesting then now is probably time to head over there so that being said um you know every organization is so different and what's fascinated me over my career is that even two organizations that seem to be exactly the same on paper right so they're in the same business uh same size same Revenue you know what have you they

still are often extremely different uh you'll have very different um skill sets you'll have very different goals different risk tolerances and so on and so forth so it is tough I think with uh broader strategy things and broader governance it can be very tough to really come up with something that's going to work for everybody but we'll talk about a number of themes I think that are are true across Industries across organizations um and across people so one of the things that I've really noticed and I think probably all of us in this room have is how specialized things have gotten um I was at a conference a year ago and I went into the vendor Hall and there were

hundreds of vendors and I had heard of I don't know maybe 20% of them and if you had gone to the same conference 10 years ago you would have known who everybody was right uh you would have understood and and kind of maybe not had a deep technical knowledge of each of them but we would be familiar with all those Technologies and now things are just becoming so specialized that it's so difficult for any one person to really understand all the domains at a very deep level and so I think we're seeing a um a split where there's very deep domain experts and then a lot of generalists as well um we still run into utility

players obviously but when you think about the people that you know or your organization um obviously you know if you think about it there's a lot of different skill sets different abilities and things like that um I believe still that a lot will end up contining to be outsourced um of course take that with a grain of salt you know what I do for a living right I'm a consultant if I come to your house and say that your windows look terrible and then you ask me what I do and I sell windows fair enough right but when you start to think about the different skill sets and how large an organization may need to be to have all

these different very deep skill sets a lot of things I think are going to continue to make sense to Outsource so another topic you know how much do we hear about the cyber security skills Gap a lot right I'm going to answer my own questions right so um but what I see a lot of is more of a misalignment right because we haven't necessarily across the industry or across organizations really defined what cyber security jobs are and when you think about I am or you think about um you know things like like firewall management right so is the person that's doing the settings is that a security role if they're not the ones defining what those settings should

be and again just in my own experience uh being fortunate to work with a lot of different organizations just seeing a lot of examples of people that are don't have Security in their title but they're in it who are becoming very well versed in security um another thing too is is really when we're executing is that if I install brakes does that mean that I need to know know how braks work 100% right so when I go down so the person that maybe is the engineer you know working at the auto company or the Brake company is probably going to have a different skill set than the person that's installing brakes down at the auto

shop so thinking in terms of what skills are in short supply so the bulk of the presentations that I give are outside of the security industry um I was actually in Chicago yesterday uh presenting to a a a um an insurance organization and just as an aside it seems like every time I come to Pittsburgh I'm always somewhere else earlier in the week um so I actually flew home last night and then drove out here at from Cleveland at 5:30 um so my my Talk's really sponsored by Red Bull um but you know at these at the these conferences or at these meetings people often times ask me after you know they always say that they have a kid or some

you know um that wants to get into security and they always want to be a pentester right everyone gets really excited about that well I love GRC um I've always loved GRC um but there's in my experience no shorters of people that want to be pentesters yet when you talk to organizations there's a huge shortage of people that are pentesters um and I have a lot of friends that are really good at pentesting or or technical skills who are looking for jobs um and I know it's in congruous and that's I don't have an answer for that but I think it's important just to think about those things and what does that mean to the industry um doesn't

necessarily prove a point it's just how weird things are right now but in my experience again just with what I see is that the largest gap really is people that are able to design programs and understand how to implement them so another piece um when you talk about can we all agree on what a a ceso does right there's no real definition um I have a friend I went to high school with and he's a really great guy and I he must do well because whenever I see him he's out in a boat or or doing whatever but he's always jumping around a different like multi-level marketing things um and I'll talk to him I like oh

what do you do he's like oh I'm the CEO I was like oh awesome and I'm like how many employees do you have he's like I don't have any right and so you know even that role um but when you start to think about a ciso is that some companies right you work at these these large companies have large teams and are working on strategy versus sometimes we get assigned that title because we have to have one for some regulatory reason um and you know maybe more strategic or maybe actually laying under desks plugging things in right um what I see a lot of organizations really looking for utility players uh I don't know about

everybody here but I'm signed up for every job alert there is right and and Dave who owns the company if you're watching it's not because I'm leaving um it's because I find as a consultant it's a really great way to see changes that may be coming at clients you work with or if you're in Consulting yourself it's a great place to mine for leads because if a company's hiring for a bunch of security people guess what they're thinking about security maybe it's time to call them so if you take nothing else away from that maybe that can uh uh if you're in sales help you a little bit um but again what I see is expectations

are just grossly misaligned it's unbelievable how different the job descriptions are for just about every role in security which I think kind of supports the the case that we need to rethink how we're looking at security overall especially from a governance perspective so Society is built on specialization right so we're going to have lunch today and if you look at I don't even know what lunch is but let's say it's a sandwich right so we just go and buy a sandwich or we just go and buy bread or we go and buy meat but what if you had to do all the steps to get all those pieces right we have someone that grows wheat we have someone that makes

bread we have someone that raises animals I've got a bunch of chickens at home um but it's become more and more specialized right so just about every industry just about every role has become more specialized and I also see security moving that way as well um for a long time remember I mean if you've been around for a while you know security used to be really off to the side it was something that was very specialized knowledge but now security seems to touch everything right even a lot of the tools we use have kind of become careers uh you have people that are experts in certain tools or certain Technologies and that's their specialty and that's what they do right they work

with that tool they work with that technology they don't necessarily work on the overall strategy so people tend to get mad when I say this but in the old days right and I don't know exactly how long ago it was but you could pick up an encyclopedia and really understand a lot of what humans knew at the time right so maybe in the 1800s it's funny because I was a horrible student um and I'll just tell you I'm 46 which is like a weird thing because I'm on the cusp of when I was in high school we had card cataloges but also sort of the internet that took I don't know I remember like three hours

to like download a picture or something and so I always did everything at the last minute and so I would write my papers the night before and we had a a funk and wagels encyclopedia that was purely for decoration on the Shelf growing up from like the 1890s and I used to use that to write my papers um and I got in a lot of trouble for that because everything was always wrong um you know my whole whole paper about how the the sun revolves around the earth um but I feel that's very similar to what we see in security you know as I said just think back to 10 or 20 years ago it

was possible um to really understand all the different domains and have a really good handle on it at a pretty decent depth and now that's becoming more and more difficult right so somebody who's an expert on compliance versus someone who's an expert on cloud versus somebody who's a pentester or applications or what have you it's becoming more and more specialized um and then continue to move along how do we even Define security right and security with a capital S so a security team or a security program you know everybody hates documentation but do you have a security Charter right so have you defined what your security team or what your security program is setting out to accomplish right and think about

all the different roles security can have you know whether it's at your organization or just in general overall you know are you there to advise right so do you come up with the standards or do you give direction on what should be in place um or are you just consulted about that um you know do you make recommendations or do you make rules with the force of law um and then even thinking about testing right so are you are you the one that's testing the controls or is that audit um you know are we designing or are we implementing you know so at organizations you know do you have a security team that's designing what goes in place but doesn't

necessarily touch the systems or are they doing both um and sorry I I look around the stage so about I think it was about 8 years ago I fell off the stage at a Federal Reserve branch and it was a little bit higher than this and uh my wife now wife who was not my wife at the time was in the audience and uh I just pretended like I meant to do it and went and tried to take questions but now people bring it up all the time like whenever I run to people in Cleveland like oh remember when you fell off the stage I'm like yes I do thank you like what else do you

want to bring up what I did in fourth grade that's also embarrassing um but also just thinking in terms of you know building versus running um we have a lot of conversations about this uh with organizations because most organizations are staffed to run what they have right so does anybody in it work like 25 hours a week and then go golf right people are working 40 50 60 hours a week you know they're constantly busy they're constantly working and they don't necessarily have time to build and implement the new things so when we build and look to implement new things what happens sometimes we fall off on the things that we're trying to keep running and another big thing and a big

topic um that we look at all the time is existence versus Effectiveness right when we're testing a security program so I used to a long time ago be a qsa so with with PCI and in the old days if you deal with PCI you may remember that it used to say you had to have a web firewall right but you could have that web up firewall and it could be set with any any rules but if it was there all right my responsibility is to give you a green check because it exists but it didn't look at the effectiveness right and so that's another conversation that we're having a lot more often and I think is becoming a lot more important

right so not just looking at whether or not the controls are in place but are those controls effective to buy down risk in the way that we intended so another fun topic right we've always had this conversation you know we people used to talk about infos versus hackers and you know what's the difference what does that mean um I used to always get told um not anymore but you know that I was the youngest person that ever met that did GRC or people would always make jokes about where's my tie right when I'd ask questions about compliance because I work with a lot of very technical people um but when you picture a hacker what do

you picture versus when you picture an information security professional what do you picture versus governance um you know there's no governance scene right anybody ever seen like I Robot or Mr Robot right I mean where's Mr governance right I mean where's a movie about somebody repelling out of a helicopter and helping you write a policy I mean I would watch that it might not do well or Mr checkbox um and so it's just not necessarily something that um I think people get as excited about but for me it's an extremely important topic anybody here working governance all right so we're well represented but another conversation that that's becoming more common is even you know where does security sit this

has been a thing for a long time people have often times talked about you know where should a ceso report right should they report to the CIO should they report to the CFO should they report directly to the board and while we were having those conversations I think a lot of things have shifted um and you're starting to see as I mentioned before we'll get into a little bit later too is where a lot of that security governance role is sitting but even thinking about it you know what is the security function right we hear a lot about how edits route it's a risk management function because we want to ensure that whatever we're spending or whatever

we're doing is buying down the risk appropriately but also that we're not spending a million dollars to protect $10,000 and thinking of it even as a technical discipline is really changing now in my view um and moving largely to governance but my point is if people that do this for a living you know one of the things with security is people tend to think about it not just on the job right I have friends that are accountants and they're not researching Accounting in the evening right they're not going to accounting conferences on the weekends you know nobody has shirts about you know some accounting technology um unless they get it free at a conference they used to wash their car but if we're

people that think about this all the time and debate it what does that mean for the overall industry right what does that mean for people outside of security when they're thinking about how are they going to Define it and so one way to look at it is to think about what is the outcome that we want right what is the actual role and you start to look at why we do security and what parts of security matter and then think about who else is involved right and where it could be um you know again so much of security and what security deals with has become legal topics now right I mean who works in IR

how often is legal involved in that you know how many things that we do from a security perspective are driven by cont contractual obligations um privacy years ago I used to think privacy was going to overtake security and that we should all get privacy jobs um of course I was wrong just like when I wrote a Blog about how the iPad would not be a success when it first came out and I'm so I'm glad that can't find that in the internet now thank god um so I'm wrong about plenty of things um but even the audit function right my wife is is an IT Auditor and so you know looking at what she does and she's getting more and more

into security and risk um and that's starting to move largely into the security domain and even from an HR perspective you know not just acceptable use policies but a lot of access management um or even Finance right because what happens you know how much of security is is again contractually based and has to do with um you know payouts and who's responsible for a breach and everything else um obviously General it has continued to I think uh expand into the security domain and procurement um procurement is one of my favorite topics uh thirdparty risk management I actually when I was giving my presentation yesterday to the Insurance Groups we talked a little bit about thirdparty due

diligence but the problem is if you watch the news right what's been happening with a lot of really big companies a lot of big third party companies they've been getting breached right and they've been causing incidents and the challenge is is that just about all of them would have passed any third party assessment with flying colors right they have all the certificates you know they can fill out all those forms you want and it's becoming more difficult and I think the procurement process in general is a really good example of where in the different processes and programs at any organization security ends up fitting and I think this further kind of helps my argument that a lot of these security

roles and functions can and in the future will fall to General it but with some kind of oversight from a security governance function so one of the things that's extremely important for us um is obviously carrying the message right so how often do you hear that security is everyone's responsibility right all the time but is it right if I'm allowed to drive the company truck to make deliveries it's my job to not drive it recklessly right I should report it if you know something seems off but is it my job if I'm driving the company truck to get underneath that truck and check the brakes and you know look at the way the frame is set up or anything like that no

I should be given some kind of safe to drive vehicle and I think that's something else that's going to continue to change um you know it's it's very easy um to blame people that uh you know end up being ultimately responsible for these issues but you start to think about it you you see a lot of victim blaming is that it's not up to us right to know every Nuance of accounting or Finance or human resources but you know we expect a lot of people to know a lot of the elements of security that they may not know um I people get annoyed with me when I say it too though but if if Bob and

accounting can click one thing and take down our entire company that's probably something of an IT issue or a security issue so moving along you know I think one of the most important things as well is to understand the organization and I think that's going to continue to inform how we look at Security Programs and how we look at the responsibility for security um you know in the old days security used to be the party of no right somebody's older you probably used to hear that all the time and I think that what I've seen is it started to morph into a lot of times security likes to get to zero risk um but we're not the

FAA right you don't make money taking no risk um you know the FAA is fascinating uh you know my kids are are young and so they don't worry about me flying you know when my dad used to travel all the time I used to be really nervous when he traveled right because planes would FL out of the sky a couple times a year right it was a legitimate thing as a kid I worried about but my kids are 16 12 and two and they cannot fundamentally understand that it's possible for a domestic commercial airliner to crash right and that's because the FAA and and this is probably a wor example given everything in the news but if a plane

crashes they'll go out they'll get the every part off the bottom of the ocean reassemble it figure out what happened and then they'll go out and fix that issue on all the planes right well we can't do that right we just would we'd never be able to function as businesses and organizations so understanding kind of the risk management and understanding the risk that organizations need to take and implementing those into our security program is going to continue to be essential and I think it's another one of the reasons that we'll continue to see security functions and security oversight move out of just a specific security uh role and into the broader organization into the broader management

organization another point I like to make is audit and Regulators can be your best friends you know in the old days so much of security was based on compliance requirements uh people used to hate it right they they talk about you know security not compliance or vice versa but how many times did we see organizations that built a security program because they had to or implemented security controls because they had to it was extremely common so I remember at a different bsides at bsides Cleveland um somebody much smarter than I am was on a panel and she was talking about you know would you rather have a software security team or developers that write secure code

I would pick the second right I mean you still need oversight you still need to check your applications everything else um but this is one of the reasons when we talk about kind of the overall topic of security governance people always ask me how many security FTE should I have I don't know right because I don't know who your FTE are because I'm sure there are people in this room that probably know 15 different Technologies and can go in and assess and Implement any one of those and then there are others of us right I don't know that I could assess or Implement any 15 Technologies right I mean I'm a governance guy I don't you

know and so looking at that and starting to understand um you know how we're able to hire especially for specialized roles and even defining whether these roles um you know should even be in security I think is going to continue to be essential um you know one of the questions even from a firewall admin perspective so when you're counting your security FTE is that is that a security role if they're implementing or if they're designing right or if they're testing um and I think this is going to become an even bigger issue right because does anybody right now have an open checkbook to hire right companies are slowing down their hiring and so they're looking for

more value and I think in the same way that people are looking at the tools that they have in their environment and trying to understand if they're doing they're making the most use of them it's going to continue to have organizations looking to give more and more of their currently specialized roles to more generalist roles so in the old days all anyone ever talked about was what breaches right talked about Target or Heartland or or what have you and remember you used to have all those big bubble charts right that would show the different size of breach data and so on and so forth and one of the things I used to think about you know 10 or 15 years ago

especially as an interview question is if you were hiring somebody into a security program I would like to ask them if you had a manufacturer with no compliance requirements and no real intellectual property that they're particularly worried about how would you sell them on a security program right as a thought exercise it used to be really difficult and now it's extremely simple because it's all about about availability right so if you think about the news stories how many of them are about availability these days you know we're in a casino right now um you know somebody my age it still blows me away that the internet being unavailable means I can't check into my hotel room I mean that that

still feels crazy to me um but availability has become a much bigger issue um and one of the things that um you know we've been talking about constantly so again kind of looking at the future so I went out and I just did a Google search for crystal ball royaltyfree so I work in information security but my passion is graphic design it's like my side thing um but you know one of the things that we keep hearing is you know organizations for years have been very willing to spend a ton of money on security right they bought a ton of tools um they spent a lot of money in a lot of different areas and what's

happened have incidents and breaches going up or down gone way up right I mean any of us with the news and you know with contracts and insurance and availability issues it's going to continue to get um you know more of an issue and organizations I think a lot of them are looking at it as if they feel like they're going to get breached at some point and so the old if it's not if it's when and looking to ensure that they have the lawyers on hand to handle it even more so than the technical staff so I think that we're going to continue that's going to continue to drive uh the ways that we think about

things and structure things anybody know what this is and so this is an image that I like to use right and it's not about it in general it's not that you know every day is the same and we're constantly running towards a goal that seems to be constantly pulled away like Charlie Brown in the football I like this because if I go out and buy a treadmill right now right and I plop it down in front of my TV am I in shape I'm not in shape right and what if I leave that treadmill sitting there for six months right am I in shape still not in shape right you have to actually use it and this is an image that I like to

use when talking about a lot of the different security tools that are out there um because it's it's pretty common that tools are not being used effectively or we're not using all the capabilities feel free to steal that one or not but when thinking about future Security Programs it's easy to look at it and say that's not going to happen or what have you but look at the environment you know are we able to find people anyway right you know when you look at the the issue of kind of the skills Gap or the hiring Gap it's that organizations are looking for people that can hit the ground running and have expertise in multiple domains and they

don't necessarily exist right now um and when we continue to see the specialization it becomes even more difficult um and so many of the roles I think are becoming duplicative right so you know you see a train right trains used to have Cabo's right they used to have an extra person riding in the Caboose and now they're just two Engineers or maybe even one they're talking about getting rid of like two pilots in the cockpit so organ are looking to have fewer and fewer people that are doing more and more and I think one of the ways to look at that is not just upskilling right so upskilling thinking of taking people that have not

worked in it or not worked in security and bringing them in but I think also cross Skilling right so training our current IT staff um and our current it teams to continue to learn security and Implement things securely so one of the things you know what should be in-house again as a grain assault you know I work in Consulting um you know as a as a third party but it really depends on the size of your organization um you know you think about what's your IR plan well I like to think about it like I think about my house right what's my fire plan my fire plan is well I'll use the fire extinguisher a little bit but then I'm

just going to call the fire department right that's my plan right there's some people that might have their own fire department um but at least looking at and determining what should be inhouse um and how big and complex these things need to be um is going to be essential you know what can you Outsource you know what can just be picking up the phone and as we continue to kind of look at these distributed security functions and thinking about what is the actual outcome that we're interested in having right what do we actually want to accomplish and what is our end goal um you know often times from that perspective we get misaligned as security teams um but is the outcome you

know is our goal based on um the business realities is it based on the risk um and are we thinking about how to get to that outcome in the end uh you know so if you think about it you know what we're doing as a security strategy how does that align with the overall business strategy so like to let people read this and see if they laugh but I'm getting like no laughs today so such as like right but even thinking about it right with all these different Technologies um you know the cloud right it it's I work with someone named Paul Sams who's one of the smartest guys I know um and he always describes the cloud as kind of

insecure by default right the way that it's shipped um it's not set up for security necessarily and so a lot of organizations will just let it sit as it is um and as we get more and more specialized you know I was out at a um a Fortune 100 company and and it was during the summer and we were having lunch and there were like three different tables and you know sometimes you can just tell that people kind of are sticking together and I was like oh what team is that like oh those are our Consultants right those they had a whole team of Consultants from the outside coming in to work on a specific

technology because there was it was really impossible to hire 40 people that knew it so I think that's going to continue to happen right we're going to start to have a lot of people that are um you know outsourced and working on these functions so again this is one of my least popular opinions um but I too read Twitter or X or whatever we call it these days um like Vanessa Williams I save the best for last oh God man this is a really rough crowd like I usually like even if people get nothing out of at least they laugh a few times and that's what they remember if nothing else but I'm not going to

have that today so that's unfortunate for me um but I really do think I mean this is probably my biggest Point um I actually saw an article recently about it um a couple weeks ago I think it was CIO magazine or ciso magazine or one of those magazines um that's very specialized but was about how this is becoming more and more of a conversation um and just that you know the the security role again is so based on contractual obligations um and Reporting and and leg legislation and everything else that it's just likely to be a role that is kind of more business-based and supported by a technical security

director so this is absolutely my best slide as I mentioned I'm a I'm a graphic design Enthusiast but again we can't predict the future but whatever it is is going to be interesting um the industry is so different now than it was 10 years ago and I think 10 years from now it's going to continue to to change and be much more different than it is today um but as always you know be good to each other and I left about five minutes for questions if anybody has

any Yes W that I am that guy that fell off that stage and it's still it so I'll tell you one other story right so every time end up speaking in Pittsburgh I'm always somewhere else that week and so I always end up like you know flying home on Thursday night and then driving out on Friday and so I was out here I forget which conference it was but it was at the Rivers and there were about 600 people there and I think it was it was one it was just one track at the time I was speaking which was 4:00 and I was all excited and then they went and they put the CP certificates out right on the

table at 3 and I was speak speaking at four and so I walk into that big room and I'm standing there and there were seven people right in a room that held like 400 people like seven people's fine but in a room that holds 400 that's terrible right that's just like upsetting and the even better part of those seven is four are people that I work with right and so I didn't even know like I didn't even know what to do um so I just um one of them it's a my friend named Chris bash he was there and he was like super like he he knew the situation and he knows how high strong I am and

how upset I would be by that so he was just like yeah yeah like you know what I mean like cheering me on the whole time so at least there W seven people here any other questions all right well thank you everybody very much [Applause]