In case you haven't noticed, my blogging has trailed off the last few weeks, roughly corresponding with starting a new contract. There could be any number of reasons why this has happened, but it's nothing you couldn't probably guess at. New gig, longer days, lots of work, too few hours, not enough resources, yada yada yada. You know, it's called security. ;)

Perhaps the most frustrating part for me has been trying to find time and energy to write. I keep having quick ideas, but when I finally sit down to write about them, well, things just fizzle and fall flat. Not being one to publish something that I think is complete garbage, I've simply not. I even tried to write a couple article submissions last week, but those were not particularly good. If they end up running one, fine, though I will not be sad by any means if they don't.

Anyway... in order to provide some value, I thought I'd just go through and toss out in short-form some of the ideas that I've had percolating lately in hopes that maybe someone will find value in the starter thoughts, even though I'm current unable to get beyond those starts. So, without further blah blah blah, here ya go:

* Legal defensibility: I'm increasingly of the opinion that the correct metric we should be working toward is that fuzzy concept of "a reasonable standard of care." Forget about risk and risk management as your lead - it's not working. Instead, the pitch I think is most easily understood by business managers is this: you must do what is necessary to protect the business against impugnability. That is, when you sit down with senior or executive management, don't try to talk to them about information risk, because it'll generally go right over their heads (whether they acknowledge this or not, it seems to be almost universally true). Instead, say "when you get hacked tonight, will you be able to tell customers or shareholders, in a court of law, that you did everything reasonable to protect the business?" My hope is that a "no" answer in this scenario would incite a realization that the business is exposed to excessive liability, which needs to be actively managed.

* Where are the corporate attorneys?: Along the same lines to the previous point, I'm a bit confused why legal departments, in-house counsel, and the sort are not rushing in to pick up the fallen gauntlet of security. It is just a matter of time before more laws, more regulations, and - importantly - more fines and crimes start piling up that the business realizes "oh no we're in trouble!" In my mind, the job of corporate counsel is to help identify these liabilities and exposures and help drive the business toward a safer stance. If only they would wake up and realize that this opportunity exists...

* Security intuition: Much of the "psychology of security" research thus far has confirmed what we pretty knew already: people don't respond to online threats because they haven't evolved any sort of defense detection or reaction mechanism for it. In neurology terms, there is no feedback loop that connections online actions with consequences. Without repercussions humans will not develop and instinctual response for poor online decisions. As a result, much of our attention has been paid to appealing to the intellect of people. We reason with them, provide them with logical arguments, and work hard to develop abstractions like risk to help show measurements for areas of concern. And yet little of this is actually working. So, if there's no capability to evolve instincts, and the appeal to intellect is failing, then this leaves only one level of existence to try targeting, and that's intuition. Of course, this is problematic, because we don't really know anything about intuition, except that it's higher function than intellect, and that it's at best related to innate wisdom and feelings. In other words, oh crap, we're so screwed. ;) Seriously, though... I think there's something to this whole line... and I think it underscores the importance of deepening security education, training, and awareness initiatives so that everybody hears it (in reasonable, rational terms - no FUDsec, plzzz!!) on a regular, recurring, nearly-brainwashing basis. Perhaps.

* What is core to infosec?: I sort of asked this same question in July 2009 in my post "Do You Need a Security Department?", but not to any level of satisfaction. I've also read Mortman's reasonable post "Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re Doing It Wrong", which seems to have garnered a strong negative response from those supporting GRC. I still can't quite put my finger on all the angels yet, but what I do think I know is this: anything have to do with IT operations is not security. Firewalls, IDS, access management, patch management, vulnerability management (at least in part)... these are all operational issues by in large. So, if you take away these things, you're left with a handful of higher-level activities... mostly stuff that falls under governance, security management, process management, and quality & performance management. Notice I left "risk" out of that list - that wasn't accidental. I consider it to be a sub-part of the other area. Btw, if you're wonder what quality & performance mgmt. is, that's my collective heading for metrics, testing, audits, etc. (e.g. pentesting, SAS70, vuln scans, appsec scans), and all the reporting that goes with it. This line of thinking that makes me wonder, after fighting against the marketing hype of GRC all these years, if it may actually make sense. Well, at least the governance part, at any rate...

* Losing faith in the security industry and community: If there's one thing I'm increasingly feeling, then it's an utter lack of hope for or faith in this industry. On the one hand you have vendors driving products that don't solve problems. On the other hand you have an increasingly elitist and self-congratulatory "core" of people who think more highly of themselves and their alleged achievements than I think is warranted. And in the end, you have the same stupid problems day in and day out with companies and people everywhere. For all the "innovation" that is allegedly occurring, where is the meaningful improvement? The only thing we seem to be able to link to some sort of changes in the world is the need for compliance with various regulations, such as PCI or GLBA or HIPAA or any number of EU provisions. It seems to be the case that no business is really interested in spending one penny on self-preservation unless it is absolutely mandated by a governing authority. And even then we see massive failures as we learn that businesses are actively gaming compliance. The whole thing is a total nightmare and highlights, I think, the great threat of all: the complete dissolution of trust. I don't know that I like the thought of a world without any trust. It's rather disconcerting and downright disturbing.

Anyway... those are my random thoughts as of late... sorry not to have been able to develop them further. It's hard to think actively all day long and then try to come home and think some more. At some point one just needs to clear the mind and live intuitively.


Much of what you're saying are why my core courses in my self-designed Information Security Management major are courses in leadership and organizational change. Big-picture organizational metrics-based analysis, motivation and incentivization, and environmental (that is, customers, community, suppliers) factors, elements that define the organization's transactional and transformational structure.

Every marketplace will be full of self-promotional, self-aggrandizing experts whose marketing exceeds their skill. By definition, these "experts" are better at marketing than people whose energies are devoted to actual infosec experience and insight. The trick to successful infosec efforts is to integrate secure processes into the overall business process environment in a way that's so complementary and intrinsic that people hardly notice it's there.

But you know, February is about the worst month for having any energy. We're at the tail end of The Slog, with a couple weeks to go before spring asserts itself. Take this time to rest and conserve your energy, and come out fighting when the sun shines on the new grass...

@Albatross -

Yep, pretty much. I've been consistently interested in the idea of organizational transformation. Ultimately, everything in infosec hinges on it. Business as usual is a killer. However, I have yet to find a good approach that addresses these issues. Ah, well.

In the meantime, yep, recharge and get ready for a couple conferences. I'm trying hard not to be simply negative about things, but would in fact like to find positive, constructive solutions.


About this Entry

This page contains a single entry by Ben Tomhave published on February 15, 2010 3:55 PM.

Quick Link: "Chip and PIN Is Broken" was the previous entry in this blog.

2010 CWE/SANS Top 25 Most Dangerous Programming Errors Released is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7