Friday, December 12, 2008

Security Philosophy: What does it all mean?

Hey folks - I know it's basically the weekend and I should be headed out but it's been an insane 2 weeks at the office and I just have to get some stuff out of my brain and onto this blog before it falls out to make room for other crap.

This post isn't so much a rant as it is a philosophical approach to a long career protecting IT assets in the field known as IT Security.

Since 1999 I've been working and learning IT Security. Over the years my thinking has evolved from purely seeing things in black and white to a rainbow of shades of gray. I have a few key points here now for your consideration...
  • Security is shades of gray. Over the years I've learned that I cannot give a real answer to the question: Is this asset secure? The reason I can't say yes ever, is because I'd be lying. You security pragmatists know exactly what I'm talking about. We've consistently failed to make an impact to management because we just can't answer the "am I secure yet?" question. The answer is always no.
  • Security isn't an end-game. We're never going to reach a state within our respective arenas whether that's where you work, or where you consult, where we've "won". The bad guys are always going to keep coming, there will be new holes to fill tomorrow, and new security challenges. Most of us see that as a glass half-full because (a) we'll never be out of a job and (b) we've always got something new to do... but it's tiring knowing you're never going to get there.
  • The business doesn't actually care. I've said it. Poll just about any business leader out there and they'll tell you they're doing many things to secure their customer and themselves from hackers. Dig into that or sit in on a project meeting from the inside... and you quickly realize that's crap. Sure, they're willing to invest heavily in security as long as it's unobtrusive, simple, and free. My colleague Russ McRee over at HolisticInfosec.org continually proves that banks, of all verticals, posture themselves as having great security - but in actuality care very very little.
  • It's nearly impossible to measure good security. Isn't that the sad truth? Good security is nearly impossible to measure. How can you tell your upper-management that today you stopped a hacker from stealing a million credit cards from your database? You can't. You can't even say with any reasonable certainty that you've ever done that. We're all selling life insurance folks, hoping the patient doesn't die before we get a chance to cash our paychecks.
This brings me to the main point I've been building up to... and I hope it's almost obvious at this point. I've been asking myself lately... what is it that I've accomplished? Have I made the world a safer place by tirelessly fighting the corporate machine to be more security-minded? Have I moved that needle at all? I'd like to think that I have, and I'd like to say that between the awareness & evangelization, project work in corp. america, and my personal crusades I've changed at least a few important people's minds to be more security conscious. But how do I measure that? The sales folks at my day job measure their success by the dollar revenue they generate for the company... how do I measure my worth to my employer? How do any of us?

I know what you're thinking, what a way to start a weekend... but it's been building over the past several months and I've got some research coming soon that'll help make me feel a little better. Stay tuned. And don't let your job drive you to drinking :)

2 comments:

Alex said...

I'd really challenge many of the assertions you're making here. I mean, I feel your pain, but I know people who are having success.

Businesses (including the large banks I work with) do care, but only once you're able to communicate your value. That does take measurement, but that's not measuring security, it's measuring "risk".

And risk must be measured using different metrics than "medium" or "57" or "6.4" - they must be metrics that are meaningful to decision makers ($ and time).

Second, I wholeheartedly believe you can measure "risk" and "security". It's not easy, and there aren't very many people doing a good job at it, but there several satisfactory approaches out there.

Rafal said...

@Alex: Don't confuse my despondency with an inability to do my job effectively. I've been at this since late 90's so I've gotten quite good at demonstrating business value in security; and IT risk as a component of business risk... it's just that I can't help but feel that no matter how well I do my job... we all do our jobs - people still don't care. Ultimately, businesses will write-down losses due to security exposures and move on ... people will ultimately not care (see TJX case) and that leaves us to do our jobs, saving the unwilling from themselves.

... and that's a sad state of affairs.

Google+