As an Analyst I was often quoted in the press and would go to great pains to ensure I was quoted accurately. Unfortunately the best laid plans can often go astray and I found that regardless of my efforts I (and many others) would be misquoted, misrepresented, mispositioned and sometimes misaligned. I do not know Farnum personally but I assume he is a sharp guy, although after reading his latest Comptuerworld blog posting (here) one may be left to wonder if his recent time as a security reseller has dulled his senses. The article isn’t necessarily wrong or on it’s own not worthy of my ire but he makes a leap of logic that seems to be baseless. So let’s dig in and see where his thoughts go astray…
And as I started reading all of this, I found Amrit’s post here, and something he wrote made me think a little further. He said:
…we serve the business or organization that employs us and we have been hired to ensure that services are available to provide the functions required by the business.
Now that basic statement is very true. When we take a job at a bank or an oil company or a retailer, their legitimate expectation is that we protect them from the bad guys who want to break in and steal from them. But Amrit speaks of this as if it is our ultimate goal. Is it? Is our ultimate goal to help our company survive, or is it to do our part in helping achieve security for everyone?
First our ultimate goal is not to help our company survive but to help our company excel – it is about doing our part to increase the bottom line and we do this through ensuring the business functions optimally in the face of increasing hostile threats, operational failures, and compliance pressures . Honestly though I have no idea what Farnum’s comments mean in the real world. Is Farnum suggesting that although we have been hired by a company to perform a set of tasks and provide a service that is not our goal it is instead to make sure we provide these same services to everyone? What a remarkably communistic stance, what exactly is he suggesting one does – perhaps he would like to suggest to his employer that they provide free professional services or security software or hardware to ensure that security truly is for all but this would of course go against his employer’s wishes and the service they hired him to perform, which I assume is to sell as much stuff as possible. This is not to say that security researchers, professionals, and others shouldn’t share their knowledge – we do all the time.
the above comments are not terribly wrong though, what really took me back was the following:
Now one could argue that by securing our little corner that we are contributing to the security of the whole. And I can see where that is valid as well. And I also know that not all of us are going to be security researchers and thinkers like the Hoff and Rich. But when we start thinking that all we can do is work on our little spot and the rest of the Internet is on its own, then we fall right into the trap that Hoff and Rich are trying to get us out of. We just cannot ostrich our way through life.
Ostrich our way through life? How does one make the leap from “we serve the business” to falling into a trap and burying our head in the sands? Isn’t it incumbent upon security operations folks to fully serve the business that they are absolutely required to NOT bury their head in the sand. Farnum goes further…
Believe me when I say the temptation to do just that is extreme. Sometimes I just want to give it all up and walk out the door (of course, I would be walking out of my own house since I usually work from home). But we just can’t all do that. If we are not standing in the breach, who will be?
Wait – what? How did we go from “we serve the business or organization that employs us and we have been hired to ensure that services are available to provide the functions required by the business.” to burying our head in the sands, not caring about overall security, and giving up because the temptation to do so is extreme?
Most likely Farnum misread my comments and then misrepresented them and I perhaps am doing the same, but I do not see how providing the services we have been hired to provide to the best of our ability and working with others in the security community are conflict.