You Know What’s Dead? Security…
…well, it is if you listen to many of the folks who spend their time trawling about security conferences, writing blogs (like this one) or on podcasts, it is. I don’t share that opinion, however.
Lately there’s been a noisy upswing in the security echo chamber of people who suggest that given the visibility, scope, oft-quoted financial impact and reputational damage of recent breaches, that “security is losing.”
{…losing it’s mind, perhaps…}
What’s troubling about all this hen pecking is that with each complaint about the sorry state of the security “industry,” there’s rarely ever offered a useful solution that is appropriately adoptable within a reasonable timeframe, that satisfies a business condition, and result in an outcome that moves the needle to the “winning” side of the meter.
I was asked by Martin Mckeay (@mckeay) in a debate on Twitter, in which I framed the points above, if “…[I] don’t see all the recent breaches as evidence that we’re losing…that so many companies compromised as proof [that we’re losing.]”
My answer was a succinct “no.”
What these breaches indicate is the constant innovation we see from attackers, the fact that companies are disclosing said breaches and the relative high-value targets admitting such. We’re also seeing the better organization of advanced adversaries whose tactics and goals aren’t always aligned with the profiles of “hackers” we see in the movies.
That means our solutions aren’t aligned to the problems we think we have nor the motivation and tactics of the attackers that these solutions are designed to prevent.
The dynamic tension between “us” and “them” is always cyclical in terms of the perception of who is “winning” versus “losing.” Always has been, always will be. Anyone who doesn’t recognize patterns in this industry is either:
- New
- Ignorant
- Selling you something
- …or all of the above
Most importantly, it’s really, really important to recognize that the security “industry” is in business to accomplish one goal:
Make money.
It’s not a charity. It’s not a cause. It’s not a club. It’s a business.
The security industry — established behemoths and startups alike — are in the business of being in business. They may be staffed by passionate, idealistic and caring individuals, but those individuals enjoy paying their mortgages.
These companies also provide solutions that aren’t always ready from the perspective of market, economics, culture, adoptability, scope/impact of problem, etc. This is why I show the Security Hamster Sine Wave of Pain and why security, much like bell bottoms, comes back into vogue in cycles…generally when those items above converge.
Now, if you overlay what I just said with the velocity and variety of innovation without constraint that attackers play with and you have a clearer picture of why we are where we are.
Of course, no rant like this would be complete without the anecdotal handwaving bemoaning flawed trust models and technology, insecure applications and those pesky users…sigh.
The reality is that if we (as operators) are constrained to passive defense and are expected to score progress in terms of moving the defensive line forward versus holding ground, albeit with collateral damage, then yes…we’re losing.
If, rather, we assess our ability to influence outcomes such that the business can function at an acceptable level of risk, where “winning” and “losing” aren’t measured in emotional baggage or absolutes, then perhaps more often than not, we’d be winning instead of whining.
It’s all a matter of perspective, really.
I think staring at things other than one’s bellybutton can deliver some.
Try it. It won’t hurt. Promise.
/Hoff
Related articles
- Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-up (securosis.com)
- Hacking breach made us stronger says RSA (go.theregister.com)
- Building/Bolting Security In/On – A Pox On the Audit Paradox! (rationalsurvivability.com)
- PSA: Paula Deen, Sausage Pancake Egg Sandwiches & Security… (rationalsurvivability.com)
I mostly agree with you, so of course, I’ll have to vociferously disagree with you somewhere. I think you’re wrong when you measure the effectiveness of security by whether or not the security industry is making money. The security industry is functionally parasitic. The real question is:
Is our host healthy or not, and are we displacing enough other parasites (the adversaries) to permit the host to function?
I think the answer is “yes”, and I suspect you do, also. Which means we’re agreeing again.
What has changed, IMO, is that security is now in the conversation in the executive suite when it comes to the analysis of winning and losing in regards to the broader organization. This shift does change how security is measured and valued, and therefore improves the profile of security within the organization. We all benefit when security makes the transition from being perceived as a “necessary burden” to something that enables the organization to function effectively in the face of the evolving risks. Of course, a better valuation in the executive suite is only a moral victory until the perceived value drives additional budget dollars.
I absolutely agree, a huge proportion of security vendors are snake oil merchants. This fact aside, what are you proposing?
There is a cycle to these “enable business” and “risk-weighted investment in security” rants. Remember ROSI, years ago, for example? Why did it not stick, if it was supposed to be the solution to making security tangible to the execs? How do you measure a monetary value of adding a firewall? How do you calculate a “risk” related to getting hacked that makes sense?
If you do have answers to these questions (real answers – a worked out example with numbers that I can show my CEO, not general framework handwaving), please share.
Your rant is doing exactly what it tells us not to do – emotionally complaining about the state of things without providing pragmatic solutions. Perhaps this is a typical behaviour of security people 😉
I am currently experimenting with SABSA-based approaches, they might work if cut down to size. Ask me in a year.
Actually, if you read my blog (beyond this one entry,) follow my initiatives and have seen my presentations,
this “emotional complaint” you allude to includes numerous examples of how I (and others) move the ball forward.
In fact, I can directly answer each of your questions “How do you measure a monetary value of adding a firewall?” and
“How do you calculate a “risk” related to getting hacked that makes sense?” with both qualitative or quantitative
answers. These answers are the very ones that enabled the organization I was the CISO for increase their lending cap
by $1B attributed directly to these risk analytics activities that my team deployed.
That was in 2003. Here is a presentation from 2008 summarizing this:
http://media.techtarget.com/searchFinancialSecurity/downloads/New_Operational_Discipline_NetSec.pdf
So why don’t you browse that presentation, the rest of my blog and come back with an assessment of whether you think I’m
merely complaining.
I like the point. I’ve felt for years security flog’s it’s self over every failure. It’s kind of like expecting the police to STOP (not even catch) every crime. In reality, even on a good day, some crimes happen, and some of the criminals are never caught.
There’s a fundamental difference in security risk and the risk that a NASA mission. In NASA’s missions, failures are mostly chance. What percentage of parts are made out of spec. How often does vibration exceed X. Even how often does the person forget to put the plastic dudad on the other dudad.
In security risk, you have a person with free will choosing to compromise you and choosing to harm you. That risk must be managed fundamentally differently. It is much more like keeping up with the Jones’. Or, you don’t have to run faster than the lion, just faster than the other guy running from it. I’m sure some porcupines get eaten, however, when compared to the number of furry things getting eaten, the porcupine comes out ok.