Today my boss asked me how it was possible that none of Solar Winds' customers caught the dumpster fire of their infosec in due diligence. The short answer is that DD is hard. The longer answer is cultural. 1/23

First, about due diligence - it's a good term. You're not going to catch everything, but you can catch obvious red flags and investigate. At some point trust is involved - especially on self-assessments. People lie. People make mistakes. Etc. 2/23

Someone posted, "If only we had asked our vendors to fill in a spreadsheet with hundreds of rows of data, this could've been avoided." That's hilarious because it's true, but execs often conflate detailed DD questionnaires with an understand of third party risks. 3/23

We've gone to some really simple questions whose answers serve as proxies for, "How much digging should we do here?" It's like 10 questions. One is, Do you require all employees to use non-SMS MFA for all access to prod and non-prod networks?" No? We gon' talk. A lot. 4/23

We ask for third party attestations; not having one means we're going to make you fill in the VSA Full questionnaire, which I think is a reasonable number of non-anal "table-stakes" questions, depending on the criticality of what we let you touch... 5/23

We also ask for recent penetration test results and discuss them with their infosec people. But I consider much of this less important than what we are really asking: "Does your firm have a culture of security as expressed by your commitment to and investment in it?" 6/23

The proxy for that answer may be found in Question 2: "Does your company have an executive in charge of information security?" And if yes, "What is this person's title?" Honestly, if you have no equivalent to a CISO, you don't care about security as much as we'd like. 7/23

I don't care if it is a CISO, or Director, or CSO. I do care (a) that someone owns it; and (b) that it's a real job, with senior management buy-in for the role. The answer is often telling. 8/23

Another question is "Do you have a written information security program and policy?" bluntly: if you say YES to the CISO question and NO to this question, we're done talking. Information security can't be winged. It can't be "The Chief Compliance Officer" in charge. 9/23

When @alexstamos left Facebook, it obtusely decided they wouldn't replace him. That's all the more gobsmacking because of the depth, quality, and gasp-inducing quantity of data Facebook holds on all of us. Screw credit cards: Facebook knows what and whom we like in bed. 10/23

“We are not naming a new CSO," they said, "since earlier this year we embedded our security engineers, analysts, investigators, and other specialists in our product and engineering teams to better address the emerging security threats we face.” That indicates a problem. 11/23

Solar Winds, too, did not have a CISO. That's a problem. Not automatically a showstopper, but it's indicative of a company that considers themselves to be, at a minimum, different from most of the rest of the tech industry, and that's remarkable. I'd have questions. 12/23

Often, in my experience, the answers to those questions about why they have chosen to have no CISO would result in whiffs, wafts, a soupçon, if not plumes of dumpster-fire smoke. Not always. Often. 13/23

That doesn't speak, though, to what my boss asks, but it begins to: Why did so many companies allow Solar Winds Orion to pass due diligence? Having spent years in government, I suspect much of it is, "Well, Treasury is running it, so it must be good." Human fail. 14/23

The transitive property of trust is, ironically, highest in the parts of government where we see cleared people working. If it's an unclass network, people tend to minimize its importance. And too, they trust others in their circles with these kinds of recs. 15/23

In the private sector it's much the same, with groups of CIOs meeting to "benchmark", which leads me to my last thoughts, in the words of @wendynather: "Benchmarking is great, but what if your peers are also bad at security?" 16/23

Often industry cliques form, and the more cliquey it gets, the worse the advice can get. But it's true that if you meet regularly with your counterpart from your biggest competitor, and you're both F1000 or G2000, you tend to heed their advice as gospel. Human fail. 17/23

I think it was @RidT who referred to attackers "finding the seams" in our information security infrastructure; that's a nice image. Blue is always harder than red. Since this is so hard, we must focus on what we can fix; assume compromise; gain visibility. 18/23

This means traditional views of due diligence, with soulless procurement Oblomovs peddling spreadsheets-from-hell as if they can divine the "answer" to third-party risk, need to be rethought. We should focus on burning down tech debt, doubling-down on visibility... 19/23

...and tripling-down on defining strategy and the tactics we employ in support of it. Burning tech debt requires an understanding of our SDLC and our data pipeline that must be leveraged. 20/23

Since we can't really spend six months assessing the security of every vendor we hire, making better decisions about what vendors get to see what data is an important consideration. Compartmentalizing risk. Monitoring performance. Pen testing. These are all part of it. 21/23

In the past 5 years, the IT world has truly had a paradigm shift towards vast, complex systems that require well-designed automation and excellent configuration to not sink us. I said at #RSAC2020 that poor cloud configuration leads to stupid at cloud speed. 22/23

Blaming others, or blaming 3PR assessments, or procurement people, or security people, is not helpful. These problems affect us all, and we all get pwned. The measure of the successful is how, and how quickly, one identifies and recovers from it. /fin