As a huge NFL fan with the DTs without a game to obsess about each week, I am constantly looking for parallels between football and my daily existence. Adrian talked a bit in one of his Incite snippets last week about how Facebook uses red team exercises to make sure they are prepared for the real thing.
Luckily, the answer was yes, because the incident wasn’t real. It was the first of two large-scale red team exercises that Facebook has conducted in the last year. Red team exercises are certainly not a new concept–they’ve been around in the military world for decades and carried over into network security. But few of them are conducted in the way that this one, known internally as “Vampire”, was. McGeehan’s team kept the ruse going for more than 24 hours and kept close tabs on the way that the various participants reacted, communicated and disagreed. The idea, of course, is to prepare the teams for a real-life incident.
And this comes back to something we hear in football circles every week. It’s all about the preparation. The teams put the work in (at least the ones that win), and they trust their preparation and just play on Sundays. They are ready and they give themselves a chance to compete.
“We’re very well prepared now and I attribute that to the drills,” he said. “I’m not sure it would have worked as well otherwise. It felt like the second time we were responding to it and we were all ready for it. It was a much more calm, smooth response. [The exercises were] an incredible net positive.”
The security world is no different. If you spend all day fighting fires and not preparing for incidents, how can you (and your team) expect to perform when the brown stuff hits the fan?
You can’t. Which is fine. Though your management may have a different opinion. So you are best off making it very clear that based on staffing, expertise, funding, whatever, certain things aren’t getting done. Rather than Adrian’s call for the proverbial Security Chaos Monkey to be constantly testing your defenses, I prefer to focus on how to behave given the fact that you don’t have the resources to prepare properly for incidents. As I harp constantly, if you want to have any longevity as a CISO (or another senior security role), you had better get good at managing expectations. Of course that may not save you if (when) things go south. But at least you will have made it clear that you did not have the resources you needed, to the person responsible for getting you those resources.
I underertand that many proud security folks would rather be caught dead than actually admit they can’t do their jobs. Which is too bad because excessive pride tends to be a major factor underlying high CISO turnover.
Photo credit: “Untitled” originally uploaded by dabruins07