After reading through some security blogs and strategy papers, I saw what appeared to be an underlying theme across the narratives I’d read: Security tolerates failure.
It’s understandable that it happens, but I think if we are honest with ourselves, it happens because of a collective acceptance that close enough is good enough. It can be easy for any of us to offload responsibility when so many things aren’t in our control, and we can feel powerless because of it. In almost every instance I read about, I saw leadership and technical security folks pointing fingers at all kinds of issues, but I hardly ever read about any of them taking ownership — or even acknowledging that security earned this failure. The bad things did not happen through osmosis; no evil hacker just magically jumped into the network. Failures occurred because of a series of bad decisions, poor strategy, and a lack of enforcement of well-known security practices.
Let’s think about this for a second: You deserve what you tolerate. What does that message mean in the context of cybersecurity and security operations?
If companies collectively turn a blind eye to lackluster security policies and don’t bother to enforce the standards that were put in place solely to defend their networks, these organizations deserve the bad things that will inevitably occur because of those decisions. If companies do not wish to enforce a user policy because users gripe about it, again, they deserve the work and stress that comes with the imminent breach headed their way. If companies tolerate vendors selling them technology that comes with default hard-coded back doors and lack ways to technically control or patch that device, it can’t be surprising when it becomes an IoT threat to the network and every other network on the server.