I recently de-friended an acquaintance on Facebook because I could no longer tolerate the open disdain and hatred he showed toward a particular presidential candidate. He would constantly post links to extremists sites purporting to have the inside scoop on this candidate's hidden agenda, hidden religious bias, and other alleged secret plans. While it was true that I supported this candidate, this fellow attributed my refutation of his assertions as mania for the candidate instead of an attempt to debunk the myths he was perpetuating. In the end, he even mocked me for walking away, because he again saw my fact-checking and push-back as blind zealotry and not an earnest attempt to put aside rumor and innuendo in favor of what is widely held as the truth (it should be noted that he opposed both main-party candidates, yet only saw fit to bash the one, ironically).
It's struck me in reflecting on this situation that this sort of conflict arises very often. The political season seems to bring to life some of these age-old debates, but at their core we find behavior that plays out in the average enterprise every day. It is these hobgoblins of foolish consistency, about which Emerson warned, that plague many IT departments, and really businesses at large, in dealing with issues of security, privacy, and business continuity.
In a previous life as a systems administrator for a very small ISP, my boss had wanted to implement a monitoring solution. His background was somewhat technical, including light training in network administration, and so he decided to go listen - and eventually buy into - a sales pitch from a major vendor. He spent tens of thousands of dollars on this overkill monitoring product that promised to perform automatic discovery and whip our meager environment into shape. A few weeks and several thousand dollars on professional services later, the product didn't work. The base Windows server build wasn't compatible with the product (despite being built to their specification), and it turned out that their auto-discovery was really better geared to an internal network using RFC 1918 non-Internet-routable IP addresses. The long and short of it is that despite all that money, the monitoring solution did not work.
Coming back a few months later to this ISP, the manager asked me what he should do about the failed monitoring solution. He indicated that the major vendor felt guilty over the somewhat misleading sale, and thus was willing to refund some or all of the money, though they would really prefer to give us a different product altogether. They offered us licensing for their commercial anti-virus, to use with our mail gateways, for example.
My response was clear and simple: do not be beholden to the past if it is keeping you from your future. Throw out that foolish consistency and make a clean start going forward. In the specific case, I sent him links to two open-source solutions (one for monitoring, one for AV), and in less than a week he had the monitoring tool in place, working better than he'd even hoped for the commercial solution.
Unfortunately, this situation is extremely rare. Human psychology oftentimes fights to be consistent. It is extremely common for people to make decisions and then fight to remain consistent with those decisions, even long after they've come to realize that they've made the wrong decision. In the security industry, this particular weakness of the ego can have extremely devastating effects. Moreover, if the decision-maker is in the business, it can make life even more difficult. In fact, it can stop the maturation of the business cold.
Guy Kawasaki talks about this phenomenon in Art of Innovation post. In particular, he talks about the need for organizations to "jump to the next curve" in order to truly innovate. The basis of this philosophy is that basic evolution of products or services can only go so far. At some point, your organization will stagnate, and the only way to resolve this problem is to essentially throw away most, if not all, that you're doing, and start fresh at a new, higher level of performance. In effect, you jump to that next performance curve, rather than fighting for every last penny with the old, dying model. There are many examples in industry to describe this phenomenon, such as the evolution of the transportation industry.
Within security, this principle is alive and well, and really speaks to the stagnation that we currently see. This problem has faced us as recently as the last 15 years. When I first began working with computers, we were just emerging from the world of large-scale central computing, slowly, then quickly, moving into distributed computing. Many old IT departments struggled to retool, and even to this day many organizations hold onto their mainframes (for good reason). In the mid-to-late 90s, as the Internet blossomed and hardware became incredibly cheap, organizations began to realize that their lock-in to expensive mainframes didn't make as much sense. Successful companies threw out their allegiance to the old ways and put fresh eyes on the new ways. Today, we can now see a successful hybrid approach that uses central computing in some cases, distributed in others.
For security, distributed computing introduced a whole new set of problems, and the most common approaches were to implement tools like firewalls and signature-based anti-virus. Eventually we added intrusion detection systems to the mix, and developed better ways to harden our operating systems. And yet here in 2008 we still have problems with malicious code, and we're now realizing that this traditional approach to security doesn't quite work. Do organizations have what it takes to throw out these dated and now-ineffective approaches to consider something new?
One of my favorite alternative approaches is that produced by the Open Group's Jericho Forum. Among other things, the Jericho Forum rejects the traditional notion of perimeter-based security. Instead, they advocated hardened enclaves, within which you can more easily define appropriate behavior, tune monitoring, and take a more data-centric mindset in securing the enterprise. This approach is innovative, and yet it is sometimes met with skepticism by traditional infosec and IT departments. Get rid of the traditional DMZ structure and perimeter firewalls? Heresy!
In addition to this approach, there are numerous other places where security should be challenging the status quo. Is workstation-based AV absolutely necessary? Should all employees by granted full-scale workstations when cloud computing offers the possibility to realize the thin client architecture dreamed of in the late 90s? Is vendor lock-in a good or bad thing? Are commercial solutions really the best for an organization, or should open-source play a more prominent role? Or, does open-source really just shift the money from depreciatable assets to non-depreciatable consulting services? And let's not even get into mobile computing and the myriad traditional threats facing these emerging edge technologies. How do we control data when it's well beyond the perimeter?
At times like these, when budgets are perhaps thinning and the country seems short on true innovation, it becomes our challenge to throw off the shackles of previous decisions and take an economist's outlook on new decisions. What's happened in the past should teach us lessons, but it does not predict the future. We can only hope to make the best possible decisions today with the information available, and we should not simply rely on previous decisions made in a different context to hold true to modern times. Today is unique - just like every other day.
