There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.
As we go round and round on the never ending hamster wheels provided as best practice guidelines and securty frameworks by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.
One of the biggest trends in security over the past 5-6 years has been its movement into mainstream IT. Traditionally IT security has been seen as outside of normal business processes. Organizations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.
The rising tide of mobile computing, driven by the introduction of consumer devices such as the iPhone and iPad, is crashing against the shores of many an IT shop. Most IT organizations have lived on a diet of corporate policy restrictions and liberal use of the word “No!”, unfortunately their time has come. Continue reading
As I was traveling through Canada last week I was struck by an article in the Globe and Mail – “Track designers defend Whistler course” – in which the designers of the Winter Sliding Centre suggest that the unfortunate accident that resulted in the death of Georgian athlete Nodar Kumaritashvili was caused by human error and not any negligence of the track designers themselves (here) and (here) Continue reading
To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.
Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?
Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading
(this post is dedicated to all those I have debated – poorly – on twitter and in blogs)
I must admit that I do enjoy the experience of a good debate, the adrenaline rush, the give and take with a qualified adversary, the thrill of victory and hopefully the expanse of ones views. So often though many of us fall back on cheap tricks, emotional triggers, and framing points of view in extremes or black and white terms – all of which result in polarizing, as opposed to elevating the discussion. This is not a new phenomenon and has been used through the years by some of the most prolific personalities in history. In some cases the result is for the betterment of all and sometimes it is to the detriment of many.
What is new is social media, such as twitter, blogs, facebooks, etc., which provide an excellent mechanism to reach a large population of geographically dispersed people – that is good. Unfortunately the speed at which information is disseminated as well as the lack of detail and time used to build an argument that can facilitate healthy communication is severally impacted in these mediums – that is bad.
I don’t know how many of you have tried to carry on a debate in 140 characters, but it is a poor forum for anything beyond where one should eat dinner and even that can quickly border on contentious if not bounded properly.
Here is an example of a bunch of recent twitter debates (modified slightly and the names have been changed to protect the silly):
In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.
But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.
Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.
So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…