Whack-a-mole with Security

Stop dealing with IT security problems when they happen; start addressing the root cause.

As security threats become more prevalent across organizations, solutions must have buy-in across the enterprise – not just within the IT department. Equally importantly, organizations must stop addressing problems as they emerge and start being more proactive about undermining those problems before they cause damage.

Those were the key takeaways in a presentation by Parisa Tabriz, a director of engineering from Google. Tabriz spoke at the August Black Hat US 2018 conference in Las Vegas. In the session, the underlying theme was that security professionals must do whatever they can to incentivize firms to make better and more secure products.

It’s surprising, but there are a mere 20 or so companies in a position to influence us globally because they make the operating systems, mobile devices and so on that we all use and rely on. Those companies, therefore, are truly the only ones in a position to influence the direction of security that will affect billions of people.

  • Tackle the root cause
  • Pick milestones and celebrate to stay motivated
  • Build out your coalition of supporters outside of security

Tackle root cause

The automotive industry has historically used the so-called “5 Why’s” method to understand the cause and effect behind problems encountered in its processes. That same method should be applied to the security space, Tabriz said.

For example, if someone discloses a code vulnerability, certain questions should be applied to the incident:

  • Why did this bug lead to Remote Code Execution or some other exploitation?
  • Why didn’t we discover it earlier?
  • Why don’t we have tests for these kinds of problems?
  • Why does it take so long to create updates?
  • Why does it take five weeks to test a security fix?

This methodology will help organizations get to the root cause of problems, Tabriz said.