Amrit Williams, BigFix CTO winds up the conversation with author and speaker Michael Santarcangelo on the nature of insider threats and how to manage them.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. I am back with Michael Santarcangelo, author, catalyst, and speaker. It has just been a captivating conversation with Michael about insiders and consequences and people, information, and risk. I wanted to come back to something you said in the last podcast.

Michael, you had mentioned that many people are divorced from the consequences of their actions, and I wrote that down. That really struck me, because I was thinking about comments I hear all the time, which are around, people saying, well, the reason I bought product x, or I did process y, or implemented policy z, is because I know that whether or not it’s effective, if it fails, I won’t be held accountable, because I can simply say, sure, we had a virus infection, but I am using product a, and it’s the leader. Or yeah, sure, no, someone got through our firewalls, but I configured them exactly how I was told to based on this little book that says, ‘How to Configure a Firewall‘, which is the market leading book on configuring firewalls per se.

It struck me when you were saying that, is, what are the consequences for IT people who just do the bear minimum? It doesn’t seem like there is a lot. If you have implemented the market leader in AV product, and you know it may or may not be the best, and you can prove it doesn’t work properly, but yet you get infected with viruses, your job is not impacted.

Michael Santarcangelo: It’s fascinating to look at those, because when I started out writing ‘Into the Breach‘, I didn’t have a conclusion in mind. What I said was, we have all these breaches, they keep happening, we have to go deeper into it. I posited a simple question, what is the breach? It’s a symptom, and it’s not the actual challenge.

What I came back with was our actual challenge was that people, not just IT people, people are disconnected from the consequences of their actions, and it has a very real manifestation; lack of responsibility, lack of accountability. We can see this in the federal government right now. This is a global challenge. It’s not just the security challenge.

So what does it mean? Well, it’s fascinating to me that what you just described was the old, if it’s IBM, I won’t get fired if I buy it. You can supplant that now with 1,000 companies. If it’s the market leader, if they are ranked the right way, if they are recommended to me, I like to say, if they have got a box with little blinky blue lights on it that I can point to my boss and say, look boss, it’s working, I am okay.

When we look at the consequences of actions, I do think people are divorced from them. But there is a couple ways, and this can be applied to any number of things. But what I start to do to frame the situation different is I am going to posit something, because most of us when we look at consequences, we immediately want to label the consequences as being good or bad. What I suggest is we just look at consequences as being intended and unintended.

Now, you can later apply the subjective labels of good and bad. But most of us take an action to get an intended result. I think what we have to start to do is to say, okay, I took an action, now there is a consequence. Most of us, at least most of us I hope are trying to teach our children that our actions have consequences, and we have to live by them. It doesn’t always seem to be that way in the corporate world, because of what you laid out Amrit, but what if we just look at if it’s intended or unintended?

Let’s go back at the example we just had. So a lot of people will say the best practice is we must protect data, or as I am more preferred to say, information. Now unfortunately, it usually comes with this little grumble, our people are stupid, they are going to screw it up anyway. Now, I don’t accept that. But you hear it all the time. So what’s the answer? Well, we will just encrypt it.

Now, when somebody says, hey, why are you encrypting my laptop? What do we do say? You wouldn’t understand it anyway, which probably means, I don’t really understand encryption myself so don’t ask me any questions, because I want to appear smarter than you. So I am just going to pretend that you are too dumb to get it. And then we roll out encryption and then nothing really works.

So what was the intended consequence of rolling out encryption? The intended consequence is that we would reduce data loss, and that we would be “secure” or protected or whatever qualifier you want.

But what’s actually happening? People are writing down their passwords. People are abandoning the technology. People are circumventing it. People are doing whatever. That’s the unintended consequence. Great!

Now, when we look at it that way, it gives us a much different way to look at things. I think what happens is — let me give you an example. I recently got interviewed by a major media outlet. The guy spent a couple of hours with me, and at the end I said, hey, it’s been a joy talking to you, let me give you a copy of my book.

I gave him a copy of my book. He sent me a note about a week later and said, Michael, I have only gotten through the first part of your book, I am realizing now, I have done so many things at work that must be driving the IT people insane. And I now know why I am doing it, but I am making changes because I realize that that’s going to screw me up more that it will screw them up. Bravo! I mean, you are the poster child for what I am trying to work on.

The point that I am making is that, it’s not just IT folks, it’s anybody, most of us today don’t stop and think. I don’t think Amrit, most people stop and say, well, wait a minute, I know it’s the market leading firewall, but what’s the problem that we are trying to solve? We say, Internet bad, firewall good, you have to have a firewall. Which firewall do you get? Well, you go buy the best, of course, because then no one will question me, and I have all the literature to prove it. So when the CFO says, why are we buying this firewall, I will drop a mound of reports in front of him and say, because all these thousand people say it’s really good, so we should buy it, and we are good too.

No one stopped and said, wait a minute, what are we trying to do? What’s the action we are worried about? What’s our intended consequence, and are we going to meet that? So the cycle kind of perpetuates and perpetuates and perpetuates.

What I found then is that, if we keep labeling stuff good and bad, well, nobody wants bad, so we don’t look at intended versus unintended. So what I always look at is, if we are concerned about people who are divorcing the consequences of their actions, we have to take away the qualifiers first, and just say, well, what did you expect to happen?

Now, what I normally suggest then, because this is the difference between a professional and a practitioner. I think professionals can take a look at their consequences, the intended and unintended, and I think they have an obligation to start to expect a potential impact. Because unintended can be good, and they can ultimately influence the design or the roll out or the operation of something, such that you minimize the unwanted or the negative impacts, because they take a broader view.

Whereas, I think practitioners get really stuck in terms of, I have to get to point A, and I am going to do it, and I don’t care who is in my way. It’s a slightly myopic view, and it’s probably something that requires a little bit more nuance to really get into. But it’s the difference of saying, practitioners say no, professionals say yes. It comes down to looking at the consequences, because sometimes no drives a bigger unintended consequence that on a negative scale is an order of magnitude more devastating than any other pathway.

Amrit Williams: Well, I think you are right. I think that organizations do need to look at intended versus unintended consequences and definitely set expectations properly. I was thinking about what are the consequences of failure to the IT security people, specifically though, that they are divorced from the consequences of their actions, because there are no consequences to them for their actions in many cases.

If you are a sales guy in an organization, you don’t make your quarter, you do that  twice, you are fired. If you are an AV desk jockey and you have hundreds of virus outbreaks, and you are using the leading AV product, you are probably not going to get fired.

So I was actually wondering about that. This would be the stick side of human interaction. So definitely agree with all your comments on intended and unintended consequences. I was sort of focusing on what are the consequences to IT security for only doing the bear minimum? Should there be any?

Michael Santarcangelo: Well, I think that there should. I think the thing we have to consider is that this is still an immature field. Yes, there has been people doing it since the 60s. But if you tried to go to a conference based on security in 1998, you probably had to go to a UNIX conference or UseNeXT conference or something to that effect, and go to the security track. It has gained a lot of attention rapidly. The technology is proliferated in a way that most of us don’t understand the implications of it. So the consequences of our actions require somebody to stop and to ponder and to think and to set an acceptable baseline.

I think as an industry it’s still pretty immature. So if you talk about sales, and I lay out a quota, you are a salesperson, we know how sales work more less, and it’s either realistic or unrealistic and it’s very measurable. The challenge with security has often been, we are trying to protect against something that we don’t want to happen, that’s tough to predict, that’s tough to see, and it’s changing probably faster than our ability to keep up with it is.

I think what we have to get better at measuring then is the unintended consequences of well-intentioned actions. It’s that, so I am doing the bear minimum, which I don’t even know how we define bear minimum anymore, although I am actively researching it, but what if you buy x, y, z product, because everybody else did, we need to start looking at the measures of, so did your overall risk go up or down in measuring people that way, then we can tie them back to the consequences of their actions.

Amrit Williams: I think you are right though. We are a far way away from that. It’s unfortunate, and hopefully we will move towards that in the future. You said something I wanted to touch on before we end. You had mentioned sort of the dynamics of human interaction. People are generally good. They want to do the right thing. They can be instructed to do the right thing. People aren’t stupid was the comment you made.

I don’t think people who rally against user awareness training, as I have in the past, necessarily think people are stupid. What I think people are is human, and humans have an innate ability to want to believe, to want to trust, and to want to belong. We are just socially rigged that way. It’s why when we see something that says, somebody loves us, our first instinct is, oh cool, somebody loves us, we want that validation before our other part of our brain clicks up and says, danger, danger, danger.

I think that human psychology is very difficult to change. I think that awareness is important but — and I don’t think people are stupid, but I think changing basic human psychology is very difficult.

Michael Santarcangelo: Or maybe even not the point, right? I mean, look, I agree with you, and I don’t know that I would necessarily want to live in a world where everybody was cold, distant, aloof, and didn’t like anybody else. I think what has to happen is, we have to — and this is probably a great follow-up discussion, because this is something I have been really focusing on a lot, but to try to distill it quickly, it’s as simple as suggesting that what we have to look at really is just consequences of actions. That when you say to somebody after they have done one of these breach-inducing things or security breakdowns, you say, what were you thinking? I wasn’t. Okay. Well, now that you have a better world view of it, you have a new level of self-awareness, I wouldn’t do that again. Does it make them mean, grouchy? No, no, it’s a shift.

The difference is, I don’t think we can keep telling people and beating them with a stick. It doesn’t mean we have to go to a carrot. We have to change the message. We have to change the approach, and we have to get them involved in more of a dialog, instead of just making everything a directive.

Amrit Williams: You are absolutely right. It is about dialog. It’s about continuing that conversation. For those of you who are interested in learning more about Michael Santarcangelo and his book, ‘Into the Breach‘, where he talks about many of these subjects, you can definitely find that information at securitycatalyst.com.

Michael, thank you very much for joining me today. It was just a fascinating conversation, and I do want to have you come back very soon so we can continue this conversation. Michael Santarcangelo everybody, thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.