This post isn't so much a rant as it is a philosophical approach to a long career protecting IT assets in the field known as IT Security.
Since 1999 I've been working and learning IT Security. Over the years my thinking has evolved from purely seeing things in black and white to a rainbow of shades of gray. I have a few key points here now for your consideration...
- Security is shades of gray. Over the years I've learned that I cannot give a real answer to the question: Is this asset secure? The reason I can't say yes ever, is because I'd be lying. You security pragmatists know exactly what I'm talking about. We've consistently failed to make an impact to management because we just can't answer the "am I secure yet?" question. The answer is always no.
- Security isn't an end-game. We're never going to reach a state within our respective arenas whether that's where you work, or where you consult, where we've "won". The bad guys are always going to keep coming, there will be new holes to fill tomorrow, and new security challenges. Most of us see that as a glass half-full because (a) we'll never be out of a job and (b) we've always got something new to do... but it's tiring knowing you're never going to get there.
- The business doesn't actually care. I've said it. Poll just about any business leader out there and they'll tell you they're doing many things to secure their customer and themselves from hackers. Dig into that or sit in on a project meeting from the inside... and you quickly realize that's crap. Sure, they're willing to invest heavily in security as long as it's unobtrusive, simple, and free. My colleague Russ McRee over at HolisticInfosec.org continually proves that banks, of all verticals, posture themselves as having great security - but in actuality care very very little.
- It's nearly impossible to measure good security. Isn't that the sad truth? Good security is nearly impossible to measure. How can you tell your upper-management that today you stopped a hacker from stealing a million credit cards from your database? You can't. You can't even say with any reasonable certainty that you've ever done that. We're all selling life insurance folks, hoping the patient doesn't die before we get a chance to cash our paychecks.
I know what you're thinking, what a way to start a weekend... but it's been building over the past several months and I've got some research coming soon that'll help make me feel a little better. Stay tuned. And don't let your job drive you to drinking :)