Why Security is in Trouble

Tuesday, April 10, 2012

Rafal Los


Disclaimer: This post is direct, uses some direct language, and may be offensive to you if you like your truth sugar-coated.  Please stop reading it if this is the case...

Sometimes the absolute best conversation I can have with someone is that one that reminds me how complacent in my thinking I've become.  This applies to you too. 

InfoSec World 2012 had an interesting mix of talks and forums from around all corners of information security but one particularly stuck with me because of its polarizing effects. 

That talk was a panel with Marcus Ranum, Chris Nickerson and Alex Hutton.  I almost feel like the panel, for many, was like a bucket of ice-water to wake you from a 3am sleep for some people... and polarized the audience into those who loved the message, and those who were simply offended by it.

Let me start off by telling you that I have a personal interest in this panel because I have a deep respect for the type of thinking that Marcus, Chris and Alex foster ... on top of the fact that I have personal relationships with Chris and Alex.  There's just something refreshing about a person who's not afraid to tell you to your face that you're wrong.

The panel was interesting because it was titled "What should your real priorities be?" and right off the start it was clear there were some opinions in the panel.  More than that though, it was painfully clear the audience wasn't ready to hear the message the panel was delivering. (I'm going to be honest here in this post too... so you've been warned.

Here's a few key take-aways I got from the discussion part of the panel:

  • Many security leaders don't understand priorities because they don't understand what they actually do.
  • Prioritization shouldn't be done by an auditor. Ever.
  • Entirely too many security leaders spend entirely too much time fighting auditors and not the bad guys.
  • The 'running away from a bear' analogy stinks, and fails because it's not one bear we're running from, it's a million bears that are constantly evolving and multiplying and it doesn't matter how many you out-run there are always more.
  • There are not enough smart people being employed in the right jobs to help defend organizations' critical assets today.

All of these things I am on board with, and many I have said myself in the past so I can confirm I'm not entirely out on a lonely limb now... but here's what really got my attention. 

At the very end of the Q&A session some gentleman came up to ask a question.  I honestly don't even remember the question, but what I do remember is Chris Nickerson asking him one back in return: "Can you tell me what your organization's mission statement is?"... and the man did not know. 

Ponder that for a minute.  Chris essentially told the guy he should be fired because if he doesn't understand what his organization's goals and mission is, how can he possibly understand what he's protecting?

That comment just hit home... if I scroll back through my posts and my decks I find myself saying exactly the same thing... albeit maybe with a little less blunt force.  I do appreciate the panel's ability to not sugar-coat the truth though, and can respect them for being honest with the audience that I really don't think was ready to hear that they're not very good security leaders. 

Many people walked out unhappy, mad, and outright insulted.  Those people, in this rabbit's opinion, probably don't deserve to run corporate security programs.  That's just an opinion - but think about it.

Everything you do as an Information Security Leader in your organization needs to be aligned to the organization's mission statement and goals.  Everything you do, every security-related decision you make, and every purchase and project you sign off on must first and foremost be aligned to the organization. 

What does this project/purchase/widget contribute to the company's mission or goal?  If the answer is that you don't know -pause right now and figure that out first.  If the answer is nothing, stop where you stand and do not continue.  If you've never found yourself asking these questions, or worse, you can't even answer what your company's mission statement or goal is...

Chris is right, you probably have a better chance of winning the lottery than actually protecting your organization.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Compliance Enterprise Security Security Strategies Business Information Security Infosec Professional Policies and Procedures Implementation
Post Rating I Like this!
Damian Profancik I absolutely agree. I would also add the following...

1) Too many organizations still think the perimeter exists

2) Too many organizations are only securing for the checkbox and not for security's sake

3) Too many organizations are still operating under the paradigm of relative security rather than absolute security

4) Too many organizations are looking for a product that they can buy instead of the process that they need...back to basics

And to echo Chris...

5) Too many organizations don't really have a good idea what they're even supposed to be protecting

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.