In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.
But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.
Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.
So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…
10. You have no idea what your environment looks like right now, even though you think you do
9. Even if you did, which you don’t, you really have no ability to affect change across your environment in a timely manner anyway
8. Your company is far more concerned with shareholder value than information security, as they should be, but damn it sucks to have to explain to the CFO why you need to use tempest shielding paint, a man trap with armed ninjas and a moat of hungry crocs to protect the server room.
7. Your executives follow the latest hyped trends no matter how much extra work it will create for you and your team, supersoacmdbfragilisticloudcomputvirtuaiphonexusalidocious
6. The tools you use are ineffective (they don’t really work) and inefficient (they cost way too much), not to name any names but they go by the acronyms H-P or I-B-M or C-A or B-M-C
5. Your security vendor is lying to you and why shouldn’t they, you believe them
4. Your security and operations teams hate each other, hell they don’t even speak the same language
3. The bad guys are more interested in attacking you then you are in defending yourself, at least they work longer hours
2. Your dealing with the exact same problems you dealt with a decade ago, only it seems so much worse today then back then
1. You do not believe that your organization suffers from any of the above problems
Something, something this way blogs 
No. 10 strikes a chord with me, good asset management (i.e. what servers and desktops do we have, what partner connections, what apps supported by what servers etc.) is essential to infosec success.
I’d also suggest lacking the organisation lacking documentation of business processes to the required detail is a key blocker to a security program (often this knowledge is in the heads of a middle management). Often in order to secure a critical business process (think credit card security and PCI-DSS) you need to interview then document in order to understand it in order to risk assess, design, implement & operate security controls.
Hey Matthew,
Definitely agree that proper and continuous asset discovery, inventory, and management are key to not only information security but almost all IT programs. It is shocking how bad most enterprises are at asset management, or only perform on an annual scheduled basis.
As for the other part of your comment about proper documentation of business processes – I would agree but not in the context of governance and compliance. Compliance initiatives, like PCI are a really strong reason that security programs suck — but I will save that rant for another post.
These are sadly humorous, in the same way that hitting your funny-bone is simultaneously painful and provides that weird tingly feeling.
#8 is not quite accurate, however, because a failure to pay attention to information security means that you’re not really paying attention to shareholder value. Unless, of course, you believe that shareholder value is increased by sending notifications to customers and banks about how a massive breach will never again be a problem, and how you’re instituting nameless improvements to make all your problems a thing of the past…
-ASB: http://xeesm.com/AndrewBaker
Hey Andrew,
Thanks for the comments. #8 is only inaccurate in the context that an organization understands the implications information security has on shareholder value – I would argue that many don’t and as such they argue that spending on information security negatively impacts the bottom line vs. what might happen if they do nothing or the bare minimum
Show me proof that security breaches impact value. I bet you can’t find it. I bet all you can find are studies that show that any impact (and it is barely measurable) is very temporary. Heck, TJX had record sales the quarter after their massive breach. No one really cares, face it.
As for Amrit’s reply that “that spending on information security negatively impacts the bottom line vs. what might happen if they do nothing or the bare minimum”, this comes down to Prospect Theory, which Bruce Schneier has written about.
Briefly, it seems that people will take accept a risky loss (I’ll suffer a breach which will cost me $1M to fix) in preference to a sure loss (I’ll spend 200K to prevent that breach) I don’t think people even think about it, it is just ingrained in our psychology, and has real ramifications to our trade.
The big problem at most places I’ve worked is that most people don’t care. And in the end all the efforts you make to increase security are circumvented by the very people you work with trying to get around it for their convenience or because they don’t want to learn.
If I could teach people to think then I could do anything.
Hey Deltaray,
Completely agree – not sure why I forgot the #1 reason most security programs suck – nobody gives a shit and those that do play lip service and bypass controls because they are convinced of their own Nietzschean superman prowess
Blah blah blah CFO’s, see Twitter back and forth…
3, 5, and 10 all resonate. 2. makes me wonder why? I think the tools are getting better (could use BigFix as an example where patch management is concerned) but we seem collectively to be doing just as lousy a job as we did years ago, even with improved tool capability. Maybe environmental complexity has increased at a greater rate.
Or maybe as soon as patch management (or insert practice here) wasn’t vogue to talk about anymore, people stopped paying attention.
“Nietzschean superman prowess” – I am going to find a way to work this into a conversation. That might be it, collective misplaced over-confidence.
@Prefect
honestly if you can’t work “Nietzschean superman prowess” or “Ubermensch” into a conversation I would be shocked =)
An interesting aspect of information security is the half-life most have for the fundamentals. Take patch management, we know its important, we know it has to be done, unless you have enough compensating controls, we know that most don’t do it well at all – in fact Gartner has Patch as the #2 most important project for 2010 – yet no one wants to talk about the basics as we are off trying to figure out how to protect ourselves from some exotic hack that has never actually been executed.
The concept of in vogue/exotic vs. the fundamental is another one for a future list
I’m sorry, but I would disagree. My #1 reason most security programs suck is
Executives in many orgs hire security professionals so that comply with some regulation, pretend to buy into security for the moment, but then over-ride the security teams every move later on. Lack of true executive support of security initiatives. Also, to give some fairness to my statement, too many security professionals have yet to learn how to speak english to upper management about risks, ease of remediation, and remediation costs vs. costs of risks.
just my .02
Really good points…we needed a top 20 =)
SecBarbie,
I disagree with
“Also, to give some fairness to my statement, too many security professionals have yet to learn how to speak english to upper management about risks, ease of remediation, and remediation costs vs. costs of risks.”
If you focus on the message, you are in the wrong area. You need to focus on the recipient of that message. We all say how suffering some breach or getting some new regulation always results in increased security spending. Why? Did our message become more clear? Did we learn the right incantations and magic words? No. The executives realized, only briefly, that they need to care. They invested time to listen and act.
The same is true with insurance. 20 year olds don’t buy health insurance, not because they don’t understand it, not because it isn’t marketed well, but because they don’t feel they need it and they don’t care. When that same person turns 35 and has 2 children, I bet they want insurance. Again, the message didn’t change, the recipient’s impression of their need changed.
If we forever pretend that there are some spcial words, or if the slides looked just a bit more professional, or whatever, then we’ll never solve the problem. Execs need to feel responsible for the problem, and until they do, we may as well speak Klingon.
Pingback: Interesting Information Security Bits for 01/06/2010 | Infosec Ramblings
Interesting article! Keep up the good work!
Pingback: OVSAGE Meeting Presentation January 21st Notes | The Pythian Blog
Pingback: Client Hosted Virtual Desktops Part 1; Own the OS « Amrit Williams Blog
Pingback: Saturday MustRead: Amrit Williams’ Blog
Pingback: Top 10 InfoSec Top 10 Lists | Log Management Central
Pingback: Your Landing Page Sucks! Here are 10 Examples That Don’t… | Unbounce