Shackleford: What’s RIGHT with Infosec

Monday, April 02, 2012

Dave Shackleford


There’s a lot of general negativity in the information security community, often represented as a sense of futility and continual failure.

This makes sense intrinsically, especially when you take “security” as a macro-level topic across the spectrum of news, etc. It seems like everyone is failing all over the place, and the media just eats it up. But is this really the case?

In certain situations, sure. Some organizations just don’t care as much, and some security professionals are unable to get the job done due to lack of skill, politics, too much workload, or plain old apathy.

This is not a “black or white” issue though. I think there’s a lot of good happening in this space right now, and it all fundamentally comes down to the maturity of information security as a discipline. I’ve said this for years, and it bears repeating – this field is still really in its infancy, and has a long way to go.

This post is just me observing the state of things, and I’ll list a few points that I think illustrate the good coming out of our field.

  • We are coming to the realization that we WILL be breached. This is a huge, fundamental shift in mindset that’s actually healthy, not redolent of defeatism. We have too much surface area to cover, not enough people and technology, and dammit, defense is HARD.
  • We are all risk managers and advisors. This does not mean  we WIN or LOSE. We assess and advise, and then we live with the damn decision whether we like it or not. That’s how business has worked, and traditionally those organizations that were more willing to take risks and stick their necks out were rewarded (or crushed). You can’t expect business people to change that mentality overnight. And we’re starting to figure this out.
  • A healthy offense can inform defense, and more and more organizations are figuring this out. And we’re actually getting better at it. Sadly, all the kids want to be superhax0rz, seems like defense is BORING. Maybe, but the truth of the matter is that most people aren’t cut out to be good superhax0rz, and without defense there would BE no offense. Let me say that another way. The only reason we do pen tests is to find holes and fix them. In other words, defense. So we’ve got a Yin and Yang deal going on here, and this is also becoming a healthy realization in more organizations than ever.
  • We’re becoming less tolerant of bullshit bureaucrats who spout “policy” and “governance” with no credible skills to back this up. Thank God. If you’re the boss (CSO/CISO, etc) and have no real technical skill, then block and tackle for your folks, then get the hell out of the way and let them make you look good. Still more “infosec politicians” than I’d like to see, but at least we’re learning to work around this issue.
  • We’ve realized the government is not going to help/save us. This may seem obvious to longer-term practitioners, but we’re basically on our own, and we’re just getting on with it.
  • We’ve got some hella smart new blood coming into this field. If we could stop being crusty, snarky ASSHOLES long enough to embrace them, we’d see the industry advance even faster.

This post somewhat parallels my previous post titled “Doom, Gloom, and Infosec“, where I also outline some solid benefits of working in infosec (good money, smart people, etc.).

This post is more about the overall advancement and maturity of the industry as a whole, and I’m glad to see it. Despite the sensationalized failures, we’re headed in the right direction, I’m sure of it.

Cross-posted from ShackFOO

Possibly Related Articles:
Information Security
Risk Management Penetration Testing Network Security hackers Information Security Infosec Professional Cyber Defense IT Security
Post Rating I Like this!
Jeffrey Carr Dave, in response to your Twitter query about why I view your argument here as weak, it's because if you list all of the evidence as to why InfoSec is broken and has utterly failed us on one side, and list your bullet points on the other, they don't hold up other than to try to find a slim silver lining in a sky of thunder clouds. A silver lining may suggest hope that things could change but it certainly doesn't negate the evidence piled high on the side of the current failed InfoSec model.

I have hope that things could change however it order for change to occur, everyone needs to acknowledge that there's a need for change to happen.
Ian Tibble There's being "negative" and shooting holes in everything infosec without having any real coal face experience - I don't see anyone doing this. Then there's being "negative" and realistic, which isn't being negative at all. If someone takes the stage and relates their experiences in the infosec industry - chances are if they're being truthful, their story will sound "bad" or "negative", and with the modern day MBA/zen/zeitgeist obsession with being "positive", there is a license to shoot them down with comments about "whining", "crusty", "snarky" etc...and many other such references in this and other posts in this blog.
Sorry but you cannot combine "bullshit bureaucrats who spout policy and governance" (this is 90%+ of all pros in the field), and "this field is still really in its infancy, and has a long way to go" with any kind of positivity of how the infosec industry treats its customers.
The field is in its infancy - quite right, but infants grow up and mature. I don't see any evidence of maturing or evolution.
To grow and mature we all need to be on the same page as to what our problems are. One has to know one has a problem before it can be addressed.
This article is evidence that some people have identified some of the problems we face. But then there are others, who are actually aware of these problems, mostly wearing the "bullshit bureaucrats who spout policy and governance" hat, for whom the status quo suits them just fine. Security advice given out to budget signatories and governments, as well as who is hired and fired, is currently controlled by these folk. Given this, how likely is it that talented folk are entering our field? Talented maybe, but talented in what areas? Most likely it's bullshit and governance. Is that what our customers need?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.