There’s a lot of general negativity in the information security community, often represented as a sense of futility and continual failure.
This makes sense intrinsically, especially when you take “security” as a macro-level topic across the spectrum of news, etc. It seems like everyone is failing all over the place, and the media just eats it up. But is this really the case?
In certain situations, sure. Some organizations just don’t care as much, and some security professionals are unable to get the job done due to lack of skill, politics, too much workload, or plain old apathy.
This is not a “black or white” issue though. I think there’s a lot of good happening in this space right now, and it all fundamentally comes down to the maturity of information security as a discipline. I’ve said this for years, and it bears repeating – this field is still really in its infancy, and has a long way to go.
This post is just me observing the state of things, and I’ll list a few points that I think illustrate the good coming out of our field.
- We are coming to the realization that we WILL be breached. This is a huge, fundamental shift in mindset that’s actually healthy, not redolent of defeatism. We have too much surface area to cover, not enough people and technology, and dammit, defense is HARD.
- We are all risk managers and advisors. This does not mean we WIN or LOSE. We assess and advise, and then we live with the damn decision whether we like it or not. That’s how business has worked, and traditionally those organizations that were more willing to take risks and stick their necks out were rewarded (or crushed). You can’t expect business people to change that mentality overnight. And we’re starting to figure this out.
- A healthy offense can inform defense, and more and more organizations are figuring this out. And we’re actually getting better at it. Sadly, all the kids want to be superhax0rz, seems like defense is BORING. Maybe, but the truth of the matter is that most people aren’t cut out to be good superhax0rz, and without defense there would BE no offense. Let me say that another way. The only reason we do pen tests is to find holes and fix them. In other words, defense. So we’ve got a Yin and Yang deal going on here, and this is also becoming a healthy realization in more organizations than ever.
- We’re becoming less tolerant of bullshit bureaucrats who spout “policy” and “governance” with no credible skills to back this up. Thank God. If you’re the boss (CSO/CISO, etc) and have no real technical skill, then block and tackle for your folks, then get the hell out of the way and let them make you look good. Still more “infosec politicians” than I’d like to see, but at least we’re learning to work around this issue.
- We’ve realized the government is not going to help/save us. This may seem obvious to longer-term practitioners, but we’re basically on our own, and we’re just getting on with it.
- We’ve got some hella smart new blood coming into this field. If we could stop being crusty, snarky ASSHOLES long enough to embrace them, we’d see the industry advance even faster.
This post is more about the overall advancement and maturity of the industry as a whole, and I’m glad to see it. Despite the sensationalized failures, we’re headed in the right direction, I’m sure of it.
Cross-posted from ShackFOO