It’s Time to Broaden Our Collective Security Mindset
Has security red teaming finally hit the flat portion of the S-curve? We believe so, and here's a portion of our reasoning.
Most security red teams focuses on the technical portion of the system. The human, when considered, is viewed as a weak complement to the technical—something to manage, constrain, and (as a red team) exploit. We see this in the "find and fix" logic that prevails in most security shops and red teams.
To combat this mindset, we need to broaden the field of red teaming to include the whole socio-technical system. This whole-system view involves much more than just the technology and the human-as-technology-interface; it includes, among other things,
Decisions and how they are made;
The operational pressures that influence these decisions;
The often conflicting goals, constraints, and knowledge that inform local decisions at each level within the organization;
The structure and culture of communications within the organization;
How knowledge is shared (or not shared) withing the organization; and
The way the organization goes about finding and addressing problems.
One challenge is that these factors are all relatively intangible. They demand skills that many security teams lack. As a result, we keep playing the game downstream, where we are easily overwhelmed, as events continue to show.
RTJ's Mark Mateski will be talking more about this at aRcTicCON October 24. We also discuss this and many other aspect of systems and security in the Reciprocal Strategies proactive risk avoidance course.