I first started running hurdles in Jr. High (Gr. 7-8). I wasn't all that good, but held my own, overall. I ran in running shoes, not really thinking much about it until I got into High School (Gr. 9-12), where it became clear that better equipment was needed. Still, having sprinting spikes or light middle distance spikes didn't solve all problems. It wasn't until a couple months into my first season in HS that the distance coach pulled me aside and told me about running technique. It's at that point that I slowly learned that there were different ways to run depending on the type of running you are doing. Sprinters don't run like marathoners do, rolling from heal to toe. Instead, sprinters - and, by extension, hurdlers - run up on the balls of their feet the whole time, getting a spring-like action that greatly improves turnover.
So, I learned technique with sprinting, and my game improved dramatically. Well enough to make it to the State Championships my senior year, which was in and of itself an accomplishment. But technique wasn't all there was to it. I still wasn't all that great of a hurdler, especially when I saw the field of really good sprinters ahead of me. Thus it began to occur to me that, no matter how good my technique might be, there's still something to be said for talent, regardless of whether that be in athletics or academics or on the streets or in the fields. That being said, it is the combination of talent and technique that really accelerates people past the average curve.
In many ways the infosec industry faces a similar quandary. Historically, we've relied on a number of very smart people, rich in talent, but not necessarily steeped in technique. And, to be quite honest, technique hasn't been as important over the years. You had a firewall, you had AV, and maybe you had SSL, and there were limited ways to use them, so you stick them in place and viola! you're secure. Or not. But you get the point.
Today, however, we've reached a point where relying on a handful of smart people is unrealistic. Everything and everybody is online, and that means that the number of people required far outnumbers the number of truly talented and smart folks available for front-line work. Thus, we need good technique to help balance out the equation. And, for the most part, we're starting to see these techniques evolve. Application security and secure coding are perhaps the best examples of how improved technique is changing the industry. One need only look at OWASP or SAMM or BSI-MM or even the requirements in PCI DSS (pointing at OWASP) to know that technique is improving.
Unfortunately, this isn't yet true across the board. As one might expect, there is still room for improvement. Risk management - while long a staple of certain industries and business management - has not developed reasonable techniques within the information assurance industry. While there are a few candidates out there (ISO 27005, NIST Risk Management Framework, etc), the simple fact is that none of these frameworks really meets the practical needs of the average organization.
Similarly, while there are lots of niche frameworks and methodologies for addressing distinct areas within infosec, there is no real over-arching technique to pull it together. Or, at least, none that's widely recognized (my TEAM Model addresses this very issue). We're thus left with a few gaping holes in the technique department as far as the overall information assurance approach is concerned. Our only choice is to rely on talent, and hope that who we think of as having talent is in fact truly talented.
From a practical standpoint, this situation will necessarily have to change. As an industry, we're already dealing with friction due to being stale while the opposition evolves rapidly. The chaffing over PCI is perhaps an excellent example of where the need shows through the greatest. A laundry list of requirements - lacking a proper risk management context - can, and has, improved security at merchants, but it doesn't address the technique issue universally. Where PCI is, however, successful is in pushing organizations toward improved technique in key areas, such as by referring to OWASP for web application security, or by requiring better patch, vulnerability, configuration, and change management processes. It is now time for the industry to step up and fill in these technique gaps so that we can then optimize and maximize our effectiveness in dealing with the ever-evolving threat landscape.
(Note: this article is cross-posted from the Truth to Power Association Practical Security Knowledge Core)
