This post isn't so much a rant as it is a philosophical approach to a long career protecting IT assets in the field known as IT Security.
Since 1999 I've been working and learning IT Security. Over the years my thinking has evolved from purely seeing things in black and white to a rainbow of shades of gray. I have a few key points here now for your consideration...
- Security is shades of gray. Over the years I've learned that I cannot give a real answer to the question: Is this asset secure? The reason I can't say yes ever, is because I'd be lying. You security pragmatists know exactly what I'm talking about. We've consistently failed to make an impact to management because we just can't answer the "am I secure yet?" question. The answer is always no.
- Security isn't an end-game. We're never going to reach a state within our respective arenas whether that's where you work, or where you consult, where we've "won". The bad guys are always going to keep coming, there will be new holes to fill tomorrow, and new security challenges. Most of us see that as a glass half-full because (a) we'll never be out of a job and (b) we've always got something new to do... but it's tiring knowing you're never going to get there.
- The business doesn't actually care. I've said it. Poll just about any business leader out there and they'll tell you they're doing many things to secure their customer and themselves from hackers. Dig into that or sit in on a project meeting from the inside... and you quickly realize that's crap. Sure, they're willing to invest heavily in security as long as it's unobtrusive, simple, and free. My colleague Russ McRee over at HolisticInfosec.org continually proves that banks, of all verticals, posture themselves as having great security - but in actuality care very very little.
- It's nearly impossible to measure good security. Isn't that the sad truth? Good security is nearly impossible to measure. How can you tell your upper-management that today you stopped a hacker from stealing a million credit cards from your database? You can't. You can't even say with any reasonable certainty that you've ever done that. We're all selling life insurance folks, hoping the patient doesn't die before we get a chance to cash our paychecks.
I know what you're thinking, what a way to start a weekend... but it's been building over the past several months and I've got some research coming soon that'll help make me feel a little better. Stay tuned. And don't let your job drive you to drinking :)
2 comments:
I'd really challenge many of the assertions you're making here. I mean, I feel your pain, but I know people who are having success.
Businesses (including the large banks I work with) do care, but only once you're able to communicate your value. That does take measurement, but that's not measuring security, it's measuring "risk".
And risk must be measured using different metrics than "medium" or "57" or "6.4" - they must be metrics that are meaningful to decision makers ($ and time).
Second, I wholeheartedly believe you can measure "risk" and "security". It's not easy, and there aren't very many people doing a good job at it, but there several satisfactory approaches out there.
@Alex: Don't confuse my despondency with an inability to do my job effectively. I've been at this since late 90's so I've gotten quite good at demonstrating business value in security; and IT risk as a component of business risk... it's just that I can't help but feel that no matter how well I do my job... we all do our jobs - people still don't care. Ultimately, businesses will write-down losses due to security exposures and move on ... people will ultimately not care (see TJX case) and that leaves us to do our jobs, saving the unwilling from themselves.
... and that's a sad state of affairs.
Post a Comment