Industry/Business/Risk Management/Process – Failures and Search for Hope
Banging on about the selectively forgotten root cause issues – that are glazed over for want of a prettier picture (alternative reality)…the ongoing “marketing” to sell millions/billions of dollars worth of magic (questionable) product that is; purchased by business without thought, implemented; without plan, committed strategy, effective process – through failed Risk Management methodologies….we go on and on. Let’s then celebrate mediocrity at each step.
Talking with David Rice recently about this topic, he had the following: “Inline with what you said and in many discussions I had with other security guys at RSA this year. The level of frustration is palpable among those who “get it” and the chasm between reality and effectiveness is troubling. I’ve taken to treating cyber security as a whole as a “broken business”; that is, an under-performing business unit with ineffective leadership, incomplete strategy, no clear organization or prioritization, and weak impact on the environment. If there were any executives “in charge” of this business unit, they should be fired. The numbers speak for themselves.”
The forgotten fundamentals that we rarely go back to for answers….rather looking for answers where they are not…and hoped for in the new; that hasn’t seen light of day…and may never. All the while, most of the answers, we have, and have had for a long time. Fantasy and over-simplification to some this may seem – the reality to others.
Related (or not) links and posts:
- Marcus Ranum’s essay on The Anatomy of Security Disasters.
- The 7 Resasons why Businesses are Insecure.
- The dumb stuff of the the past in Beast or Buddha.
And thanks to George Hulme (@GeorgeVHulme – Twitter) for this beauty (somewhat related): Layer 7 takes security to the cloud. You got to ask – seriously…WTF? 
May 1st, 2009 at 4:50 pm
Info Sec is having enough troubles trying to figure out what to measure and how to measure it. It’s the perfect safe harbour. I’m not sure where half the industry has come from, but it appears to be a cash cow to milk. The mentality isn’t limited to any industry, but in an industry who’s public perception is based around FUD, it’s all an uphill battle.
In a way it’s like those theft prevention companies that advertise that there’s been no breakins on their watch etc…..How do they know if they don’t know there’s been an attack.
Back to the post in question, Asking the 5 why’s/RCA is hard when there’s nothing pinned down to begin with. The questions are valid, the direction is valid, but it’s very easy to skirt around and produce another trick…..
Love this line in the Layer 7 marketing post…”a soup-to-nuts cloud security”. Soup to nuts cloud security? I don’t want my data anywhere near it!
Peace,
Wade
May 1st, 2009 at 6:07 pm
@Wade M, the question about where ‘half the industry comes from’ is such a valid question. From a worker perspective, more than half of the industry is full of people who have almost no idea. That is not including people assigned to manage security and security teams. That means you are on the back foot to begin with. Where do you go from there? It’s akin to getting someone with no AFL experience to coach and manage an AFL team and then people wondering why the team is coming last. The guy has no idea what it takes to win and importantly no idea how to hire and support people to make the team a winning one. Lets just hire the cheapest players. At least we are doing what is needed to keep a team going. LOL.
What the hell is ’soup to nuts’? Now that is one well written article. LOL. Just wish I understood what it all meant. Do we need to run a translation program over it?
May 1st, 2009 at 8:28 pm
Picking up on what Wade M said, (and what I’ve rabbited on ad-infinitum here previously) “You don’t know what you don’t know.”
Shouldn’t infosec be about turning the unknown into the known ?
As a general observation, hand on heart, I’d have to say we (our industry) really don’t want to know what we don’t know.
Someone, please convince me otherwise.
May 1st, 2009 at 8:32 pm
In no particular order of fuzziness:
Metrics.
Incident and data sharing.
Fail and blame psychology.
Generational future shock.
Snake Oil.
Silver Bullets.
Profiteering.
Elven magic.
Complexity begetting complexity.
Ostrich Risk Management.
Vs.
Integral CPU and cost thereof.
Integral message passing and cost thereof.
Integral object storage and cost thereof.
Integral power use and cost thereof.
Constant independent discovery and logical + physical asset management.
Properly defined controls, agents and partys.
Certified information, application, infrastructure and enterprise architects. Dynamic runbooks for ops, incidents.
Meaningful SLAs.
ISO 18028 anyone?
May 1st, 2009 at 8:36 pm
D2, As a CIO, CSO, CEO, I need to go with the former. At least I understand what all those things are. The latter, I don’t know. Never heard of them! I prefer what I know! Let someone else prove they don’t exist!