I can’t imagine anyone that may read my site doesn’t read Bejtlich’s blog, so this post is just a reference for me. Bejtlich has posted a thoughtful blurb dealing with several very poignant issues that I firmly agree with. I know digital security has several absolute Laws (no silver bullet, you will be intruded, etc), but some of the included topics of the post are what I would call Demi-Laws or sub-Laws; things typically true and should be kept in mind in any digital security situation.
– management by belief (I think a Bejtlich term) increases up the organizational ladder; i.e. as one gets away from operations and hands-on day-to-day. The real pulse of an organization’s security rests with the incident responders and operations guys.
– somewhat related, the bar of acceptable security likely rises as one decreases down the organizational ladder to the operations guys. The techs typically can’t accept risk, whereas managers can; thus operations tend to be far more difficult to satisfy.
– management does not like hearing “yes, we spent $xxx on a security technology but it is still not ensuring our complete security in even that field. Security requires a different definition of success which we need to explain at every opportunity.
– digital risk is much less obvious to see; compare “network is slow” vs a SQL injection error leading to database leakage through your website.
Everyone should be asked the point blank question Bejtlich asks: Do you believe all of your defensive measures are 100% effective? One of my top Laws is security will fail. We have to accept that, and then the answer becomes apparent and we can move forward without living in some warped rose-colored reality.
Do you know how often people know better about some topic, but feign ignorance? Sometimes it’s when they find out, sometimes it’s to themselves. It’s an interesting psychological issue… I think our culture tends to have this pull towards living in some state of ignorance about most things…