Right results are not the measurement of success. How you arrive at the results is even more important. It is not all about results. Of course results are important, done the right way.
For quiet some time lots of us in the community have been saying that the industry is broke and that we’re looking for ways to fix it.
Unfortunately I don’t have a fix yet but this quote sure sums up the problem. The problem is the band-aid approach to securing our networks, applications, environments, data, etc.
When a threat arises or an attack happens we fix it. Then we move on to the next thing and that is OK. It has to happen that way because of the nature of the beast. We are constantly under attack and finding new flaws.
The business is driving us to “fix” the problem but they see the symptom as being the problem. Sure that are some who realize that the issue at hand is a symptom but they then assume that by going up one or two levels that they have found the problem and demand a fix for it. Rarely (or never) are they right.
Security professionals tend to think this way as well. They focus on the here and now and not the root of the problem. We measure our success by “right results”. A virus hits and we remove it; we have a “right result”.
A worm is running amok on the internet and we block it from entering our environment; we have a “right result”. We get hit with a XSS or CSRF issue on our web site and we fix it; we have a “right result”. We by a new technology that does this or that and we have a “right result”.
All of these are good and necessary. They have to happen but they aren’t enough. Sure they help ensure that we stay employed because someone has to stop them and fix them. That is about all it does though. It doesn’t address the real problem of how do we truly secure what we are responsible for.
The last part of this quote is very important. “How you arrive at the results is even more important”. I’m not looking at this from the perspective of how did you remove the virus or stop the attack. I’m talking about the how are you strategically protecting your environment.
Are you doing it with one band-aid at a time or are you really deploying a solution that will meet your needs today and in the future? Are you looking at the big picture and working with the business as a whole to solve the problem?
Of course the answer isn’t that easy. If you are in a small environment you are often the only person responsible for technology or one of a very small and very busy team.
If you work for the enterprise you may face the same problem or if you are fortunate enough to work where there are lots of technology and security professionals they are usually divided up into various teams that are busy and often working against each other to achieve different results.
Then there is the whole dynamic of getting the business on board. They don’t understand or sometimes don’t care.
Unfortunately there is often little we can do alone but if we keep focus and continue to sharpen our skills and understanding then we can slowly start to change things.
Cross-posted from AndyItGuy