Why Security Programs Fail

At Triaxiom Security, we have the distinct advantage of working with hundreds of clients across a variety of different verticals. One week, I may be conducting a penetration test for a Fortune 300 retail organization, and the next week I may be doing an audit for a hospital. This wealth of experience gives us the ability to provide insights from where security programs we’ve seen have had success and, unfortunately, from mistakes we have seen other programs make. Most of the time, when we go into our second year of performing assessments for an organization, we see tremendous improvements. However, other times, we see security programs fail, even those with the best of intentions. In this blog, we are going to explore the three main reasons security programs fail, and some of our recommendations to avoid these common pitfalls.

Obstacle 1 – Improper Priorities

Perhaps the most common way we see security programs fail is a mismanagement of their priorities. Simply put, there is only so much an organization can accomplish each year, whether the constraints be financial, manpower, or both. When your limited resources are channeled in the wrong direction, a lot of time and effort is wasted. At Triaxiom, one of our main goals for every assessment is to give you the critical information you need to make data-drive decisions on how to best protect your network. We do this by emulating the real-world risks you are likely to face, so we can help quantify how likely an event is and what vulnerabilities were leveraged that made it successful. By doing so, we can prioritize the efforts required to achieve your goal.

Unfortunately, we often see clients use the raw results from vulnerability scans to direct the priorities, with the tool-generated critical and high findings marked as the most important. However, as our penetration test will usually show them, there are other, more critical vulnerabilities within the network that would never show up in a vulnerability scan. Further, without context, vulnerability scanning results can easily misguide your efforts. A critical vulnerability patching issue on a printer is usually nowhere near as important as some findings that may be reported as a medium, but that can be combined to provide unauthorized access to a shared network drive. To be clear, vulnerability scans are certainly an important part of any vulnerability management program. But they are only a part of the overall solution and the should be used in conjunction with an overall understanding of the organization and network. Similarly, we see clients who must adhere to the Payment Card Industry Data Security Standard (PCI DSS) try to apply recommended security controls to their entire network, rather than first trying to limit their scope. These are situations where a simple VLAN scheme could have saved them countless hours.

How to Avoid

In order to avoid improper priorities causing your security program to fail, it is important to adopt a risk-based approach. For some of our clients, such as those in manufacturing, it is to keep the plant running so the biggest risk would be something like ransomware. For other clients, such as hospitals, they have a lot of very sensitive information (ePHI) that they need to protect. As such, each security program is different and security controls should be oriented around what needs to be protected and what threats are you trying to protect them from. The best way to create a risk-based approach is to start with a formal risk assessment. Next, penetration testing should be performed annually and this testing should cover the perspectives of your biggest threats. This will help quantify the risk of those threats being realized. Further, a proper penetration test will show you the different paths that can lead to a compromise and where security controls could prevent the attack chain from being successful.

Obstacle 2 – Lack of Organizational Buy-in

Far too often, we see security programs fail because they lack the organizational buy in to make necessary changes. I can’t tell you how many times I have sat in front of a client and told them how we guessed their passwords, only for them to turn around and say, there is no way we can increase our password policy, the executives don’t want to have to type more than 8 characters. Simply put, if you don’t have organizational buy in from both organizational leadership and employees, your security program will fail. A lack of organizational buy-in can make your employees more susceptible to compromise through attacks like social engineering, lower the effectiveness of implemented security controls due to a lack of diligence, and even hamper your ability to adequately respond to a suspected compromise.

How to Avoid

Let’s first talk about organizational leadership. For those at the top level of a company, the best way to get the buy-in you need is to demonstrate the impact to them. Even the most resistant executive will often change their tune when the risks are quantified and shown to them in a report, with screenshots and at a technical level they can understand. Your job as a member of the security team of an organization is to communicate, or facilitate the communication of, the risk to your organization. The best way to do this is to have a penetration test or a more advanced red team engagement. These assessments will include a walkthrough showing exactly how an attacker on the outside can gain access to the network, how an attacker on the internal network can elevate their permissions, and/or what an attacker can do once they have elevated access on your network. This could include showing a list of hosts and backups that would be infected by a ransomware attack, showing screenshots of sensitive information on the network, or achieving a target level of access that would represent a “worst-case scenario”. Finally, we recommend you let us present the results of these assessments and the associated risk to executives. Sometimes, having an unbiased third-party expert explain the risks can help cut through the noise and we can respond to any concerns they have in real-time. Especially if you are in a situation where you have been saying these things for a long time but haven’t been taken seriously.

Next, lets discuss how to get organizational buy-in from your employees when it comes to security. Your employees can be the greatest asset or the greatest weakness to your network. If they fall for a social engineering attack, it really doesn’t matter how good your perimeter security is. There are two goals when trying to get employees to buy-in to security.

First, the goal is to reduce the likelihood of employees falling for social engineering attacks. This can be done through a combination of regular testing and security awareness training. We recommend using a service, such as KnowBe4, that allows you to send out monthly phishing campaigns. When a user falls for it, they get immediate feedback and remedial training on what they should have spotted. We have a myriad of clients who use these types of tools and they have all seen the frequency of users falling victim drop following consistent testing. Additionally, we recommend awareness training that goes further than checking a box. We recommend making it customized to your organization, and based on the attacks you are most likely to see. When we conduct security awareness training for organizations, we use screenshots from portions of social engineering assessments we’ve conducted that are modeled on actual attacks to show users how a dedicated attacker might target their organization. We also explain related security topics like how we crack passwords, how to choose a password that can not be easily cracked/guessed, and how to report security incidents.

The second goal of employee buy-in is to increase the likelihood that your employees will report suspicious activity or phishing attempts. To help with this, there are some great products out there that tie into your email client and allow users to immediately flag an email as phishing so it is immediately sent to IT and can be removed from other user mailboxes. However, at a basic level, it is imperative that your employees know what to do if they suspect their system has been compromised, including:

  • Who they should contact
  • Not to shut off their computer, but to immediately disconnect from the network.
  • That your employees know they won’t get in trouble for reporting it, but are actually helping the organization by doing so.

Obstacle 3 – Lack of Resouces

Perhaps the most common obstacle that that can cause a security program to fail is a lack of resources. This can be budget limitations, personnel limitations, or both. Frequently, we see organizations conduct a penetration test or security audit, put in some of the recommended fixes and tools to assist them with detection or response, but then they don’t have the personnel to maintain everything. They end up with a very expensive blinky box that no one has the ability to respond to. In other scenarios, we work with an organization to complete a penetration test every year but no changes have been made between assessments. This can be due to competing priorities and a lack of resources such that the recommendations can’t be properly implemented. Simply put, some of the changes required are going to cost the organization time and money. Therefore, a lack of resources can really hinder a security team’s ability to improve over time, and they are stuck knowing they have a vulnerable network.

How to Avoid

The best way to try to increase resources is to speak in the language executives use, Return on Investment (ROI). One of your goals as a security professional is to put security into simple language that the executive team can understand. This means understanding how much a security breach could cost the organization and how likely that risk is. Then for each remediation effort you are trying to justify, quantify as much as possible how much this reduces the residual risk that the organization has to operate with.

  • Risk Prior = Cost of a breach X Probability of it happening
  • Risk After = Cost of a breach X Probability of it happening
  • ROI = Risk Prior – Risk After – Tool Cost

This will show your executive team that although it is a cost to the organization, and hurts the bottom line in the short term, you are ultimately saving the organization money in the long run.

Finally, there are going to be times that no matter how good of a sales person you are, your budget and personnel will be constrained. This cannot be avoided but does not have to lead to a complete failure. In these situations, it is critical that you are focusing resources in the right direction (see Obstacle 1). It is also important that your residual risk is understood and accepted by the organization (see Obstacle 2). Finally, you are left to do the best you can with the resources you have. As a final point to this, work with your experts. At Triaxiom, we may be able to help guide you on some short cuts or where the biggest bang for your buck lies in remedial actions, reducing the risk with less cost.