The “Security Hero” Culture is Changing

By Michael Farnum ·

Will Rogers said, “Being a hero is about the shortest-lived profession on earth.”

I would agree with Will since I am pretty sure that he was referring to a hero in the traditional sense of the word. But, when it comes to the information security world, this wisdom unfortunately does not apply. The “security hero” is a role that has been around for far too long.

Before I say more, I think it is time for a definition. The security hero is that person who has traditionally stepped in to fix the problem of security when no one else was there to do it. You know that person – the one who sees a hole in security, figures out a fix, and then installs the fix. Heck, you may have even been that person.

You need a new rule in the firewall? Done!

The HR director says that we need to stop people from going to inappropriate websites? Done!

Yes, the hero gets things done. The problem is that he or she is very focused only on the point problem and the point solution.

What caused this rise of the security hero? Basically, when organizations started figuring out that security was really needed a few years ago, it oftentimes did not translate into the creation of a strategy that took business objectives into consideration. The work was typically done by the IT department and was dedicated to the technical side of security - firewalls, intrusion detection, web traffic filtering, anti-virus, etc. Not that those solutions weren’t important. But, the technical focus didn’t look at security as an overarching issue that affected more than IT.

Then compliance came on the scene. Fines and stigmas that often accompanied a failure to comply motivated organizations to put more of an emphasis on security. But this did not necessarily mean a holistic view of security was adopted. While compliance was a broader focus, it still was a focus. Often whole teams were created with a sole mandate of being compliant to one or more regulations. The hero may have turned into a band of heroes (that has a distinct “Robin Hood” ring to it), but it was still a hero culture.

The hero needs to be admired for moving the security needle forward through hard work and diligence. But the reasons behind the need for a hero actually cause more problems than they solve. The round-and-round security fixes that don’t address the needs of the organization as a whole have to stop. Thankfully, this is happening now. Today’s security culture is changing.

So how is it changing? To find out that answer, I invite you to download the first installment of Accuvant’s new thought leadership series, entitled Trends from the Trenches. This first paper is entitled “The Era of the Security Hero is Over - Adopting Governance for Holistic Information Security Strategy”. In it, you will see why the trend towards governance is occurring and how it is changing how organizations view security, and learn about some practical steps to help you move that way yourself.

As a bonus, Doug Landoll, Accuvant governance guru, and I sat down in the lobby of a busy hotel and discussed the trend a bit. In the video posted below, Doug gives some great insights into what he is seeing at client sites and why governance is necessary for a strong security program.

http://www.youtube.com/watch?v=b5avitXU1V0