I don’t disagree with the post Josh made, but it doesn’t necessarily leave me in a beautiful spot. There are three thoughts I have in response to the post.
First, sure, I’ll buy on a certain level that we need to change. But even if we all agree we need to, what next? That isn’t answered at all. This sort of discussion is something I’ll have in the bar over drinks with fellow geeks, but that doesn’t make it fruitful or useful.
Second, why do we need to change? I know, Josh went into this in detail as business always changes and attackers are ahead of us and we don’t retire security tools and so on. But he doesn’t sell me on why those situations are bad or how they are not supposed to be that way. Do we want to change just because we have attackers taking some wins? We (defense) can’t “win” security, so will this argument be a perpetually fueled one? By the very nature of things, insecurity will always be ahead of security as one follows the other. Fundamentally, this is not a new issue with PCI or even computers.
Third, that’s not to say I’m saying we’re doing the best we can. But I’m not going to go so far as to throw up my hands and start over or think some new evolution or innovation will save us.
Let me get a few statements made that I don’t think need fancy backing statements and proofs that kind of relate to my mindset on this topic after reading his post and the comments. Really, I tried really hard to make these quick, but sadly I still fail.
1. Change is inevitable in business. (the unknown)
2. A good portion of the infrastructure does not change (the known).
3. Security needs to manage…security…for both #1 and #2.
4. Security is a function of economics.
5. We get better at managing #2 given time and resources.
6. We get better at managing #1 given resources. Time turns #1 into #2.
7. #1 introduces uncertainty and new risks, challenges, security holes. Less knowledge; often more complexity.
8. Security is not necessarily against #1, but it puts pressure to be secure and yet be economical in the business and a non-barrier. A security guard will never speed up flow past a checkpoint, he will only ever slow it down.
9. There is no “security win” or “state of security” to security geeks, but that might exist for a narrower business perspective (compliance).
10. The culture and personality of executive mgmt (or stakeholders) will determine how everything above (#1-8) are handled and in what order/magnitude.
11. We will always be better at securing the known (#2) as opposed to securing the unknown (#1). Attackers will be unpredictable in their skill at attacking #1 and #2; 0days happen in both.
12. It is as difficult for business to put security up front on par with the pace of agile/forward-thinking and new business ventures and experiments (clouds, etc) as it is for a new programmer to build security before proving that her code actually works. Likewise, it is as difficult as a start-up company having a mature infrastructure (both tech and mgmt) before they know their ideas/products are economically viable. It doesn’t work any other way! This is very hard-wired in almost everything we do that is new and bleeding edge. You plug in the cable and test connectivity before you lock down that connectivity. You have a control group before you have an experiment group. You build Facebook before you secure it.
13. Business will always reward the agile risk-takers up front, for better or worse.
14. Again, if you move forward, you can’t come close to perfect security. Truly accept that.
15. And this gets back to detection, response, visibility, transparency, standards, identification/authorization, least privilege, monitoring, logging. Things that are ongoing and don’t necessarily care or change based on legacy or bleeding-edge infrastructure. It doesn’t take an “evolved security geek” to do those things well, regardless of the level of #1 and #2 in an organization.
16. And lastly for now, while mgmt and stakeholders control the weather of corporate culture, the level of passion and enthusiasm in security geeks will determine their course of actions as well. Not the least of which is their own happiness with their current state of security and effort.