The Information Security industry is awash in dire predictions of it’s own demise and constant questioning of it’s own importance. I wrote about this in a post titled “The Unbearable Lightness of Securing” Mogull discusses this in one of the years better blog titles “An Optimistically Fatalistic View of the Futility of Security” in response to a post about meatloaf from the Hoff (here), which was followed by another post from Hoff “Information Security: Deader Than a Door Nail. Information Survivability’s My Game” all of this must lead one to believe that Security Bloggers arm themselves not with the latest security widgets but with all the elements of literary style one can arm themselves with, but jousting poetic is not the point of the post, the point is to finally welcome the security industry (or the survivability industry if you are so inclined) to the world of Information Technology – so without further hesitation let me tip my hat, extend a hearty handshake and slide over a chair for the weary, downtrodden, rogues of security as you finally recognize what IT operations and networking folks have recognized for decades – we all simply do the best we can to ensure operational availability of IT resources to support business functions, Hoff has a definition:
Information Survivability is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.
One of the first enterprise networking jobs I had was working for a large advertising firm in San Francisco. Netware 3.x was on the horizon and I was responsible for most of the IT infrastructure. Security at the time pretty much consisted of an elderly gentlemen named “Jim” who sat in the lobby and would wave pleasantly whether he knew you or not. Periodically Jim would ask folks, based on no predictable pattern, to “kindly sign the visitor sheet”. Of course we had to deal with passwords and access rights but it was a simpler time, it reminds me of how my parents talked about the 1950’s. But even then there was still a lot of “IT’ing” going on and me and the team would often arrive early in the morning, work nights and weekends, and do the best we could to ensure operational availability of IT resources required to support business functions.
One of the ladies in accounting approached me one day and asked “What do you do here, I never see you do any real work” I was really thrown aback, I worked my ass off, I couldn’t recall ever seeing her in the office before 9am and I didn’t take an hourly smoke break like she was prone to, often returning to the office smelling like a cheap Thai whore as she waddled through the halls with her meaty fingers choking the life out of a bag of Doritos – maybe I am still bitter – but losing my cool was not an option so I shot back “Do you ever have any problems with your phone, your email, your printer, did you experience any issues when we migrated to the new office or when we upgraded to Lotus 1-2-3, are you able to use the computer and the applications you need to perform your duties to the best of your ability?” she responded “I suppose, I haven’t noticed any issues” to which I replied “that is what I do, all day, every day – the best that I can to ensure you are able to use the tools you need to do the best you can”
IT was never about perfection, perfect networking, perfect applications, perfect storage, IT was always driven by availability of services, of resources, of new technology to improve process efficiency or reduce costs, but I do not recall the word perfection ever entering into a conversation about IT – ever, well almost, sometimes when something broke one might quietly mouth “perfect” in a sarcastic tone.
Enter the information security professionals riding a CIA wave of misunderstanding, mismatched expectations, complete lack of measurability (we are still arguing whether one can even measure IS, let alone what one would measure if one were predisposed to measure something) and carrying the flame of FUD high atop a mountain of perfect imperfection. OMG! we scream, between ROFLs! as mountains of frowny face emoticons cloud IM screens and blog postings as we ramble on about the inadequate security programs deployed by every manner of organization to wrap themselves in a blanket of technical chaos, and in doing so we only serve to alienate our industry, and our mission (here) assuming of course we have an achievable mission. We do and we have and whether we call it something different like Information Survivability or some such nonsense it doesn’t change the basic tenet that IS professionals seem to forget – we serve the business or organization that employs us and we have been hired to ensure that services are available to provide the functions required by the business.
This is where the data-centric and privacy folks enter the fray discussing the importance of confidentiality and integrity of data, and I wouldn’t disagree these things are important but they are not a perfect state, they are all part of how IT has been providing services for years and will continue to provide services for years to come. there really is no difference between information security, as it is practiced by some, and information survivability, except for the self-hypnosis the industry uses to convince ourselves of our own self-worth – we rock damnit and if it wasn’t for us there would be no company to lose records of in the first place – wrong! We are all just part of the machine, playing the same game that has been played for centuries, doing the best we can to ensure our functions, function, functionally, day in and day out regardless of the growing storm of phising, pharming, backdoor, trojan, malware laden excrement tossing itself onto the next media platform and causing a spike in revenue for every company waiting to become the next yellow-boxed acquisition target – yeah for us.
Bottom Line: you cannot stop all bad things from happening, this is not the goal of security. The goal of security is to limit the probability of bad things from happening and when they do happen to limit their impact. It really is that simple.