(I’ve sat on this for half a day, but wanted to post it since there isn’t enough blog-to-blog talk these days. I may be wrong, I may have good points. Some people learn to shut their mouth over the years, but others of us are learning to actually speak up! So, if nothing else, this is therapy for me! Oh, and I wouldn’t even bring this post up if I didn’t respect Jay and his blog and his thoughts.)
Go read the post “Yay! We Have Value Now!” by Jay Jacobs. Then look back over here. Let’s put on our diving suit and…err…dive in!
I really should say I hate the idea of saying, “I told ya so.” It’s insulting, demeaning, whining, and so on. But that doesn’t mean I like the situation that may lead to thinking, “I told ya so,” and then effecting some change without saying so much. Truly, we will actually never get anywhere if we don’t get business leaders to say, “We were wrong,” or “We need guidance.” These are the same results as, “I told ya so,” but a little more positive, if you ask me. But if leaders aren’t going to ever admit this, then we’re not going to get a chance to be better, so I’d say let ’em fall over.
Besides, you could do security action _____, and I’ll always be able to someday say, “I told ya so!” It’s totally an attitude thing. Moving on! 🙂
(Aside: I think the whole topic of ‘secure enough’ or ‘there is no state of security’ and such is akin to that old Usenet idea of every argument devolving into a Hitler analogy at some point. I find that there is not much we can discuss in security without eventually hitting that point, either implied or explicit.)
RE: Problem #1: It assumes there is some golden level of “secure enough” that everyone should aspire too. – I personally don’t see that assumption. Pointing out Lulzsec popping other people simply means those businesses had some deficiencies and they were attacked by some criminals. Criminals out for a good time and laughs. Some of those guys certainly have some skills, but lord help those companies who may have had even more talented and insidious attackers finding and leveraging those weaknesses first. (Then again, maybe a business will prefer to be attacked by their competitors as opposed to hooligans out for laughs?) Still, I’m not sure what Jay was meaning when he turns this into the loss of credibility.
I should propose there are two broad types of security engagements. The first is where a business leader wants reasonable security advice. This almost always begs some metrics, defensibility, economics, and business process/culture consideration. In other words, what should we personally be doing as a business to be secure? The second is where a business leader wants to know what security improvements there are to make. Some of them might end up not being reasonable, but that’s for the business leader to decide. The latter probably won’t ever lose credibility in the face of public digital hacks. But they will walk out of board rooms rejected on a more regular basis.
RE: Problem #2: Implies that security people know the business better than the business leaders. – Business leaders are talented; I’ll make no effort to dispel that blanket belief. However, if you want to know the real value in a business or how the business is doing, talk to the accountants. If you want to know business process, most likely you’ll talk to the IT teams. If you want to know the digital risks, you talk to the security teams. The trend here is that while business leaders (at the risk of not defining “business leaders”) can be very good leaders, managers, entrepreneurs, salespeople, and strategic thinkers, that does not necessarily mean they have any grasp on digital risks or what that might mean, or how their important assets are being protected (either physical or digital). They might not even know of some of the damaging assets such as the database storing CC/PII or that their secret formula is on a test server somewhere. Is that bad? No. It just means they’re not omniscient.
Does that mean IT or accountants or security know the business? Nope. But that doesn’t mean they know the business less than business leaders either. Mostly, I agree with Jay. I think security gets a little too loud with the, “I have your data, your business is over!” ranting. It’s possible the business owner knows the cost of security, has a good idea the cost of any realized risks, and has actually chosen a spot on the balancing beam that is security. Maybe that means there is risk left open, and some attacker leverages that opening and pops data off into the public world. Sometimes, the end result is, “So what?” Some people may lose their jobs, media might make things fun for a while, and you might even get to talk in front of a Congressional commmittee that has some ideas on making some digital regulations (how’s that for an attack effecting change?). But it truly is just a part of doing business and an incident for leadership and PR to handle and move on through. Now, did Sony understand that if they host a porous web application that, if attacked, might result in not only losing the data it houses on customers but also result in extended periods of downtime and public smearing? Perhaps.
Still, the end point is that this isn’t about knowing the business more than the business leaders, but just knowing the digital security posture more. Refer back above to my 2 types of security engagements. It’s hard to tell a security geek to stop being a security geek for a bit and be reasonable. Not because of a character flaw, but because of our passion and desire and (often) knowledge. Now, I bet Jay would agree that the security pro who can have that passion but also temper it into ‘reasonable security,’ is golden!
RE: Problem #3: This won’t change most people’s opinion of the role of corporate information security. – Diving into this point is not going to be fun, and Jay probably knows it since he admitted the problems in this point. I’ll try not to linger…
Statistics just flat out BEG to be manipulated and presented in strange ways that may paint things in an opposite light. How many of those 200 million domain names are even web sites? That have significant enough value behind them to ever even begin to have the potential to be the face of a “large breach?” Not 200 million. And so on. How may were public? (Of course, won’t this mean there is such a thing as “good enough” security? Oh shit, I did it…)
Strangely, Jay sort of makes the opposite point he set out to do: “We need more tangible proof to really believe in hard-to-fix things like global warming: we fix broken stuff when the pain of not fixing something hurts more than fixing something.” Wait, what? Watching Sony’s network get made into Swiss cheese isn’t tangible proof enough? I’m being an ass there, since I think Jay means it needs to happen to us directly.
Here’s my favorite security analogy (cue the emotional language!). If you find out and hear the stories and see the shaking and tears of your neighbors who have been victims in a string of home break-ins and theft, will that have any bearing on your own home security posture? Even if for just the short-term?
On the other side of the coin, if you haven’t heard a lick about theft or suspicious persons or strange things going on around your neighborhood, I wonder how many such residents will see their security posture loosen over a complacent time.
One might argue that perhaps there is crime there, and they aren’t targets, and even zero effort/time/money spent on security would have the same results. Perhaps! That’s where I get into the whole Security Gamble issue. You might have zero security, and be a victim. You might have 95 units of security, and be a victim.
But I would say that in the face of a rash of incidents in your neighborhood, you’ll take at least a superficial look at your own posture, and maybe raise just the right questions for a security pro to actually effect some positive difference.
Jay’s core point, though, is still true as any security or even IT ops professional can attend to: shit usually doesn’t get fixed until there’s a problem. That includes flaky servers, poor code, insecure practices, database hashing, vuln scans, and so on. But I’d still say public scapegoats do have a positive impact.
RE: Problem #4: Companies are as insecure as they can be (hat tip to Marcus Ranum who I believe said this about the internet). To restate that, we’re not broken enough to change. – I honestly don’t have much I can say about Point 4. 🙂 I pretty much agree, but it’s also general enough to be somewhat unarguable. The one thing I can say: I think Sony is making changes due to these incidents. *shrug* Just sayin’…
By the way, I am entirely neutral with this whole LulzSec thing; but I will certainly use any opportunity I can get to promote security initiatives in people or organizations that I may influence.Yeah, pointing out the inevitable insecurities in others is about as evil and head-shaking as any other FUD, but security is ultimately what we’re asked to do.
I posted a blog-reply to your blog-reply about my initial response to someone else’s blog. I probably didn’t address many of the points directly unfortunately, I was getting *way* too long winded. Absolutely love the discussion!
Ranum’s point about only being secure as one needs to be is really the bottom line. A whole security model exists based on assumptions that it was sufficient enough to mitigate enough risk to satisfy enterprise need. It is simply now being realized that it was never really challenged previously and is so full of holes as to be virtually impossible to fix as it stands. Maybe more can be done, but at what cost and to what degree completeness? One never knows if the barn door is still open or not.