The Information Security industry is awash in dire predictions of it’s own demise and constant questioning of it’s own importance. I wrote about this in a post titled “The Unbearable Lightness of Securing” Mogull discusses this in one of the years better blog titles “An Optimistically Fatalistic View of the Futility of Security” in response to a post about meatloaf from the Hoff (here), which was followed by another post from Hoff “Information Security: Deader Than a Door Nail. Information Survivability’s My Game” all of this must lead one to believe that Security Bloggers arm themselves not with the latest security widgets but with all the elements of literary style one can arm themselves with, but jousting poetic is not the point of the post, the point is to finally welcome the security industry (or the survivability industry if you are so inclined) to the world of Information Technology – so without further hesitation let me tip my hat, extend a hearty handshake and slide over a chair for the weary, downtrodden, rogues of security as you finally recognize what IT operations and networking folks have recognized for decades – we all simply do the best we can to ensure operational availability of IT resources to support business functions, Hoff has a definition:
Information Survivability is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.
One of the first enterprise networking jobs I had was working for a large advertising firm in San Francisco. Netware 3.x was on the horizon and I was responsible for most of the IT infrastructure. Security at the time pretty much consisted of an elderly gentlemen named “Jim” who sat in the lobby and would wave pleasantly whether he knew you or not. Periodically Jim would ask folks, based on no predictable pattern, to “kindly sign the visitor sheet”. Of course we had to deal with passwords and access rights but it was a simpler time, it reminds me of how my parents talked about the 1950’s. But even then there was still a lot of “IT’ing” going on and me and the team would often arrive early in the morning, work nights and weekends, and do the best we could to ensure operational availability of IT resources required to support business functions.
One of the ladies in accounting approached me one day and asked “What do you do here, I never see you do any real work” I was really thrown aback, I worked my ass off, I couldn’t recall ever seeing her in the office before 9am and I didn’t take an hourly smoke break like she was prone to, often returning to the office smelling like a cheap Thai whore as she waddled through the halls with her meaty fingers choking the life out of a bag of Doritos – maybe I am still bitter – but losing my cool was not an option so I shot back “Do you ever have any problems with your phone, your email, your printer, did you experience any issues when we migrated to the new office or when we upgraded to Lotus 1-2-3, are you able to use the computer and the applications you need to perform your duties to the best of your ability?” she responded “I suppose, I haven’t noticed any issues” to which I replied “that is what I do, all day, every day – the best that I can to ensure you are able to use the tools you need to do the best you can”
IT was never about perfection, perfect networking, perfect applications, perfect storage, IT was always driven by availability of services, of resources, of new technology to improve process efficiency or reduce costs, but I do not recall the word perfection ever entering into a conversation about IT – ever, well almost, sometimes when something broke one might quietly mouth “perfect” in a sarcastic tone.
Enter the information security professionals riding a CIA wave of misunderstanding, mismatched expectations, complete lack of measurability (we are still arguing whether one can even measure IS, let alone what one would measure if one were predisposed to measure something) and carrying the flame of FUD high atop a mountain of perfect imperfection. OMG! we scream, between ROFLs! as mountains of frowny face emoticons cloud IM screens and blog postings as we ramble on about the inadequate security programs deployed by every manner of organization to wrap themselves in a blanket of technical chaos, and in doing so we only serve to alienate our industry, and our mission (here) assuming of course we have an achievable mission. We do and we have and whether we call it something different like Information Survivability or some such nonsense it doesn’t change the basic tenet that IS professionals seem to forget – we serve the business or organization that employs us and we have been hired to ensure that services are available to provide the functions required by the business.
This is where the data-centric and privacy folks enter the fray discussing the importance of confidentiality and integrity of data, and I wouldn’t disagree these things are important but they are not a perfect state, they are all part of how IT has been providing services for years and will continue to provide services for years to come. there really is no difference between information security, as it is practiced by some, and information survivability, except for the self-hypnosis the industry uses to convince ourselves of our own self-worth – we rock damnit and if it wasn’t for us there would be no company to lose records of in the first place – wrong! We are all just part of the machine, playing the same game that has been played for centuries, doing the best we can to ensure our functions, function, functionally, day in and day out regardless of the growing storm of phising, pharming, backdoor, trojan, malware laden excrement tossing itself onto the next media platform and causing a spike in revenue for every company waiting to become the next yellow-boxed acquisition target – yeah for us.
Bottom Line: you cannot stop all bad things from happening, this is not the goal of security. The goal of security is to limit the probability of bad things from happening and when they do happen to limit their impact. It really is that simple.
Something, something this way blogs 
No, there’s more to it than that. Really, there is.
Security is *also* about enabling the business to do its thing without losing everything at the worst possibole moment. It’s about senior execs having a good night’s sleep before the next big eBusiness rollout, safe in the knowledge that it’s extremely unlikely the lights will go out tomorrow, or our customers’ credit card numbers will be sent to the Ukraine, or hackers will blow us off the Web even as we are announcing the wonderful new system to the local news media. It’s about taking away that unsettling feeling that ‘something’s not quite right’.
Oh and by the way, we do stop loads of bad things from happening, most of the time.
Survivability is just another buzzword in the blogosphere.
G.
Pingback: Farnum’s Fantasy Friday Fable Falsely Forwards FUD « Observations of a digitally enlightened mind
I would completely agree but enabling the business first requires that one enables the business to function in the face of operational failures, increasingly hostile threats, more reliance on technology all in the face of regulatory pressures. For security to become truly embraced as an IT discipline security needs to be seen as a business enabler and not as a business inhibitor — and yes information survivability is a blogosphere buzzword and really doesn’t mean anything in the context we have been using it, but apparently the US military uses the term to position something different from traditional information security
How does a system survive if it cannot withstand attacks and user mistakes? That’s what security does.
Too many people push security for its own sake–I agree. Proper security is a matter of degree. Good security is not overbearing and difficult, but sometimes the only way to secure a poorly designed (or built) system is to bolt security on in an unfortunate way that gets in the way of business a bit. Sometimes, the business throws caution to the wind and doesn’t allow you to secure it.
Kinda like those NT 4 servers we had in the DMZ until recently. The business won’t take the time to test the 2003 servers we had built and config’d to replace them. We waited two years for the business to get ‘er done. But the applications running on the old NT 4 couldn’t be turned off.
Security staff need to remember that they serve the business, not the other way around. If security staff highlights the risk, the cost of securing something, and the tradeoffs, then the staff has done its job. They need to shut up and let management do its job – manage/decide what to do.