Full Report
While doing some thinking on threat modelling I started examining what the usual drivers of security spend and controls are in an organisation. I’ve spent some time on multiple fronts, security management (been audited, had CIOs push for priorities), security auditing (followed workpapers and audit plans), pentesting (broke in however we could) and security consulting (tried to help people fix stuff) and even dabbled with trying to sell some security hardware. This has given me some insight (or at least an opinion) into how people have tried to justify security budgets, changes, and findings or how I tried to. This is a write up of what I believe these to be (caveat: this is my opinion). This is certainly not universalisable, i.e. it’s possible to find unbiased highly experienced people, but they will still have to fight the tendencies their position puts on them. What I’d want you to take away from this is that we need to move away from using these drivers in isolation, and towards more holistic risk management techniques, of which I feel threat modelling is one (although this entry isn’t about threat modelling).
Analysis Summary
# Security Control Drivers and Biases in Organizations
## Key Points
- The analysis examines common drivers that dictate security spending, control implementation, and budget justification within organizations.
- These drivers are derived from the analyst's experience across security management, auditing, penetration testing, consulting, and vendor interaction.
- A major recommendation is the need to move away from using these drivers in isolation towards more holistic risk management techniques, such as threat modeling.
- Different roles (Auditors, Vendors, Pentesters) introduce inherent biases that skew security priorities.
## Threat Actors
This section does not detail specific threat actors (e.g., APT groups or cybercriminals). Instead, it focuses on the *roles* that influence security prioritization:
- **Auditors:** Security efforts are often driven by the hierarchy of financial controls, leading to prioritization of vulnerabilities in financial systems while advanced attacks (like token hijacking) may be missed.
- **Vendors:** Security product priorities are driven by the need to sell "new shiny things" (new problems) and sometimes by overinflating existing problems.
- **Pentesters/Vulnerability Researchers:** Motivations often center on demonstrating "New Attacks" or "Complex Attacks," which can divert attention from fixing older, known vulnerabilities (e.g., ignoring Layer 2 attacks despite their persistence).
## TTPs
No specific technical TTPs related to a cyber attack are detailed. The focus is on the *behavioral TTPs* of the entities influencing security spending:
- **Auditors:** Focus heavily on the "flow of financial information" for system assessment; prioritization is influenced by auditor skill, rotation plans, and audit house priorities (e.g., add-ons driven by consultant revenue).
- **Vendors:** Use marketing (Hype Curve) to justify product sales (DLP, NAC, APT prevention) regardless of whether foundational security issues (e.g., weak passwords, basic firewall functionality) are resolved.
- **Pentesters:** Prioritize demonstrating novel, press-worthy vulnerabilities over issues that have existing, known fixes (e.g., pointing to publicized vulnerabilities like the DNS bug or HTTP-based sidejacking).
## Affected Systems
The context indicates that organizational systems are indirectly affected because risk prioritization is biased:
- **Financial Systems:** Heavily scrutinized by auditors due to the origin of audit frameworks.
- **Critical Systems:** Often ignored if they are not explicitly mapped within the "flow of financial information" spreadsheets used by auditors.
- **General Infrastructure:** Foundational security issues (like weak passwords or basic network controls) are sometimes ignored while new, complex product deployments are prioritized.
## Mitigations
The primary mitigation proposed is strategic, focused on improving security governance rather than specific technical fixes:
- **Holistic Risk Management:** Organizations must adopt more holistic risk management techniques.
- **Threat Modeling:** Explicitly mentioned as a technique to move beyond isolated drivers of security spend.
- **Countering Isolated Drivers:** Defenders must avoid reacting purely based on vendor marketing, auditor rotation, or pentester novelty, ensuring attention remains on foundational security hygiene.
## Conclusion
The primary conclusion is that security budgets and controls are heavily influenced by the inherent biases and motivations of auditors, vendors, and penetration testers. Organizations must consciously shift from reactions driven by these isolated perspectives towards structured, comprehensive risk management frameworks like threat modeling to ensure security priorities accurately reflect genuine risk.