Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

2019 Security Program Horizons

By

One of the things I love most about my job is the opportunity to collaborate with hundreds of security leaders across many industries and geographies.  There’s definitely industry focuses, as well as some geographic trends, yet the overarching themes are common across the security landscape.  Following the usual year end tradition, here’s what I see on the horizon for our programs, as well as some things that aren’ton the radar that probably should be, and as a bonus, one that is, that probably shouldn’t be.

The overarching theme again in 2019 will be staffing and resources.  I separate those intentionally, both because people are more than just a resource, and because the staffing challenges are deeper than the budget challenges.  We’ve all heard the varying statistics about millions of unfilled cybersecurity jobs in the next few years, yet as damaging as unfilled positions are, the churn occurring within the existing staff is worse.

One CISO, at a medium sized company, has given up trying to retain most of his staff – he views himself as a farm team for the big companies.  So he’s trying to maintain a core of well-compensated people and live with the churn at the lower levels of the organization.  Many CISO’s have complained that their HR pay bands/scales/ranges are based on IT, rather than security, and are both low and far too static. Yet even when they are able to maintain market compensation, the mind numbing tedium of repetitive tasks cause job frustration and churn.

Those staffing challenges are driving the two big technical trends for 2019:  widespread adoption of machine learning in the SOC for incident discovery, and automation/orchestration for remediation. There’s (rightly) a lot of skepticism about machine learning and AI right now, yet real implementations and applications are having significant success in reducing the grunt work of low-level incident identification and analysis.   User and entity behavioral analytics are still in the early stages, though we’ll see wider adoption.  While some organizations will attempt to build their own security analytics data lakes using base ML technologies, as we’ve seen this past year, those efforts often fail, and I don’t expect widespread traction in that area.

Once the incidents are identified, for routine remediation, automation will explode next year.  That’ll be split about evenly between human in the loop and hands-off automation, depending on culture and the level of the incident.  One CISO has a policy that every time an incident is manually remediated, the next step is to automate it – the program goal is that manual remediation only occurs once. That’s improving staff morale and retention, allowing his highly skilled people to move up the value chain, and that approach will see widespread adoption next year, particularly for commodity incidents.

Another trend we’ll see, particularly among small and medium sized organizations is a move towards managed security services, at least for Tier-1 and often a hybrid model for Tier-2 and 3.  We’ll continue to see some dissatisfaction with MSS providers, and churn among those customers. Aside on that – the best practice is to make sure to own the analytics infrastructure and data, so that when the MSS changes, history isn’t lost.  The root cause of the dissatisfaction is that MSS contracts are written like IT outsourcing contracts, and have very clear specifications of what will be done. Understandable from a liability standpoint, but ineffective in a fast moving and dynamic cyber-hostile world.  I’m starting to see some MSS providers working towards more flexible contract language, but that’s slow going.  Still, due to the staffing shortage, particularly for off-hour support, MSS will be a core feature of a growing number of programs in 2019.

The flip side to MSS and it’s challenges, is the cloud.  In this case, I’m talking mostly about security fromthe cloud.  Right now, on-prem solutions require care and feeding, and often it’s the security professionals who are managing the tools.  Moving those solutions off-prem frees up staff to actually do security.  I saw the corner turn in 2018, with even risk-averse organizations embracing the cloud for select portions of their infrastructure. In 2019 that’ll accelerate, particularly for analytics and identity.  Related to that is the emerging trend of the cloud providers offering security solutions themselves.  Right now that’s rudimentary at best, and only for environments directly on their cloud.  I don’t expect major improvements in 2019 – but let’s revisit for 2020.

An honorable mention goes out to companies with large IOT deployments, particularly for critical infrastructure:  securing those environments will be the major program driver in 2019.  That’ll begin with security analytics – just being able to understand what’s happening in the OT network is the largest challenge.  The volume of events and data produced, as well as the unique characteristics of the environment, will require custom machine learning models to properly detect anomalies.  Rule-based analytics are likely to remain problematic for IOT data sources due to the high variance between implementations.

The next honorable mention is SSL decryption.  This is just started to emerge as a major concern over the past few months, and I had three conversations about it in the past two weeks alone.  Upwards of 60% of traffic is now encrypted, including the vast majority of CnC traffic and data exfiltration.  If the 2019 budget didn’t include SSL decryption funding, that’s likely to be an incremental ask.

The last honorable mention goes to our business stakeholders, who are now facing the reality that they need more than just technical means of addressing cyber risk.  First, there’s been a growing trend to move the CISO out from under the CIO or CTO, and to a risk, compliance, general counsel, or direct COO/CEO reporting structure, and I expect that to become much more common in 2019. Second, as the threat of a black swan event becomes real, business executives are growing concerned about having good crisis communication plans in place.   What looks like a good idea in the heat of battle often turns out to be a really bad decision, so a few forward looking teams are building those coms plans in advance.  Part of that includes being prepared for a question on an earnings call asking if you’ve ever experienced a breach.   The proliferation of privacy regulations makes answering those very touchy, as ‘breach, incident, disclosure’ and such all may carry specific legal meaning.  A few more big breaches, and this could be a major trend in 2019.

And that leads me to the things that should be major trends, but aren’t.  Those privacy regulations are largely known, but I’m not seeing significant efforts to address them programmatically.  Companies that had to comply with GDPR are assuming those efforts will be sufficient for the upcoming California or now-in-effect Colorado laws, and they’re probably in not too far off (assuming they did a worldwide adoption).  For organizations that didn’t have GDPR requirements, I’m not seeing widespread interest in a data classification and discovery effort. It’s hard and tedious, but if you don’t know where the data is, what it is, or who owns it, complying with disclosure regulations is essentially impossible.  If we get a national pre-emptive law (highly unlikely) those teams will be caught short.

That’s a good example of the big piece that’s missing from the hot trends: basic blocking and tackling. In addition to data governance, many organizations, including those looking at AI and machine learning, still don’t have positive control over what’s on their network, how it’s configured, or in many cases, even formal policies governing the environment.  Identity remains problematic, with a lack of centralized authority, integration with employee life-cycle, let alone SSO.  Gaps in that basic infrastructure will prevent the ‘hot trend’ initiatives from realizing full value.  It’s hard to do UBA without endpoint or identity management!

Now the bonus, I hear a lot of interest in threat hunting.  That’s one that commonly comes up in conversation, though honestly, the vast majority of organizations aren’t ready to really tackle it, at least not beyond the vanity title.  Let’s leave that for another blog post, and probably a 2020 trend.

In closing, I had a CISO, pretty worn out from a long year, wistfully hope for a ‘Christmas Truce’.  I suspect that desire is the widest trend of all, so here’s hoping for a Silent Night this season.

Merry Christmas to you and yours!

Friday Photo – Ready for the Storm: Cape Otway Lighthouse

By

On our trip to Victoria, Australia we revisited our previous route along the Great Ocean Road.  Last time we didn’t have a chance to head down Cape Otway and see the lighthouse, so we made a point to add it to the itinerary.  We visited on a blustery October day, with the wind biting and cold.  I can only imagine what it would have been like to be on the water during a storm at night, when through the blackness shines a light in the distance, guiding you from the shoals towards a safe port.

Technical Storytelling – Keeping your Audience Awake

By

(C) Copyright Depositphotos / @luislouro

When people ask me what I really do for a living, I tell them I’m a storyteller:  I listen to people tell how things are, apply my experience and insight to the situation, then tell a story about how we can make the future better.  After a recent keynote, I was flattered when several people came up and asked me to share some thoughts and ideas on technical storytelling.   That’s a wide ranging topic, and while I’ve been studying the topic for years, I don’t pretend to be an expert on all of it.  So here’s just a short intro to the topic of modern, technical storytelling.

We are all wired for story, and have been since the first time we told a tale around the campfire – stories, and sharing them, are one of the defining characteristics that make us human.  And those stories have things in common.  They have a beginning, a middle and an end, and often have heroes and villains, trials and tribulations, and a twist or surprise.  Stories connect us with each other, and transform us from individuals – or vendor and customer – to a team working together towards a better outcome. Use cases are stories when built properly.  Product demos are most effective when they’re stories –  hint: ‘this tab does this, and this button does that’  is nota story!

Stories can be visual, verbal, or written.  I’ve found that it works best when they’re either visual and verbal, or written by itself (though some pictures can help).  In this post, I’ll talk mostly about formal presentations, but whiteboards also fall into that category – you just draw the picture as you go.  The worst are when written and verbal are combined.  Case in point is the infamous slideument that tries to multi-purpose a presentation with a document.  It does neither well, and often sucks at both.   By this measure, about 99% of presentations, well, suck.  Seriously, if you’re going to leave your slides behind – or heaven forbid, read them, you don’t need to show up in the first place.  That’s because of what Guy Kawasaki calls the Bozo Effect.  It goes something like this:

If you need to put eight-point or ten-point fonts up there, it’s because you do not know your material.  If you start reading your material because you do not know your material, the audience is very quickly going to think that you are a bozo.  They are going to say to themselves ‘This bozo is reading his slides.’  I can read faster than this bozo can speak.  I will just read ahead.

And if you’re thinking, ‘well, I don’t read them, I just talk to them’, then you’re missing the point. If there’s text on the screen, the audience will read it, wonder what you’re skipping, and read instead of listening to you.  That’s especially bad if it’s at a keynote, because they probably have to strain to read the tiny 8 point font with the wrong copyright date at the bottom on the footer.  A few words, a strong visual, and a compelling story are all you need, and it’s far more effective as books like Made to Stick, Brain Rules, and A Whole New Mind which talk about the science behind all this.

The best stories are always personal, which is why it’s critical to design and customize your presentation to the audience.  Bespoke trumps off the rack and sends a message that you are fully invested in the experience.  That’s the opposite of skipping slides in a ‘canned’ deck, which sends a clear message that the audience wasn’t worth the effort to prepare properly.  Likewise, running long at all, or short by a lot, sends a message that the audience wasn’t worth practicing for.  Now having a stump speech is fine (I have several), but they’re alwaystailored to the audience. What’s nice about the Zen/Ted style is that since the bulk of the content is verbal, a lot of the tailoring can be done in speaker notes.

More substantial tailoring is really like building a presentation from scratch.  That begins with a brainstorming session.  I like going analog – one thought per post-it – and clustering, rearranging, organizing, and cutting(!), on a white board before settling in to build the content and map visuals to the concepts.  For visuals, it’s worth investing in high-quality images or graphics.  My style is photographic, so I get my images at either Depositphotos.com or shoot my own. Yours may be more graphical, but please, no cheesy clip art.   Please keep in mind IP rights to images, and only use ones that are appropriately licensed.

Fonts are important – especially using them consistently and placing them properly.  One pixel out of alignment or slightly different size causes a cognitive lurch and distracts the audience.  Speaking of size, a good rule of thumb is that if you can’t read the font on your laptop screen from across the room, it’s too small.  I built a custom template with fonts pre-set, and gridlines to ensure that everything is in place.  And speaking of templates, don’t use one with a standard header and footer.  If the audience doesn’t know who you are and why you’re there, you’re doing something wrong.  And since you don’t ever (seriously, never…no really, never!) share your deck – it means nothing without your narrative after all – you don’t need to worry about copyright on every page.  I highly recommend Slideology and Presentation Zen as guides to build better decks, and regularly re-read them, especially before building a major presentation.

Last, Practice, practice, practice.  Rehearse out loud, with a remote control, either sitting or standing as you will actually deliver it.  If you really want good feedback, record yourself (on video!) and watch the session. Then do it again. Repeat until you know what you’re going to say on the next slide and can seamlessly hit the remote button in the middle of a sentence – no pause necessary between slides.  Trust me, that’s probably the most painful experience you can inflict on yourself, but it pays off.  If you want to see a master presenter at work, go watch any ‘SteveNote’ – a Steve Jobs Apple keynote.

All told it takes between 10 and 30 hours to build and practice a new one-hour presentation, and usually includes between 60 and 120 slides and images.  For the initial few run-throughs, speaker notes with thoughts about what I want to say are hugely helpful, but after practicing enough, all you really need to see on the speaker display is the current and next slide.  That’s when you know you’re ready.

Now all this is about how I build and deliver technical stories.  A lot of these techniques are universal (e.g. lose the slideument), but others, like the photographic style of presentations, are my own creative style.   Bergman, Lucas, Spielberg, Eastwood, Roddenberry, Pournelle, Niven, Rand are all incredibly effective storytellers, each with completely different styles.  Now, I’m not including myself among their ranks, just illustrating that the key to truly effective storytelling is to find your own unique creative voice. We are all storytellers!  Every one of us told stories as kids, made believe that we were super heroes or heroines, animals, cops and robbers, or simply made something up about how that window got broken.  It’s part of being human.  We just have to remember, and practice, how to do it well.

It’s worth the effort. Your audiences will thank you.