Bejtlich has posted a really nice beginning (furtherment?) to the discussion of digital monoculture vs heteroculture (or control-compliance vs field-assessed). I don’t really have strong feelings on either side, but the discussion itself is incredibly interesting to think about. I think there are pros and cons to either side, and I’d be willing to bet various important factors will dictate the value either approach brings. Things like organizational size, need to prove a compliance level (gov’t, defense, or just large and public?), and quality of both internal IT and internal security staff.
While I’ve previously not enjoyed the approach that the Jericho Forum has employed to back their vision of the perimeter-less organization, it does help that position to think of an organization being a heteroculture and using field-assessed measurements for security efforts. Typically my opinion is perimeter-less security (as horrible a term as that is since there is always a perimeter no matter what scope you lay out) and defensible endpoints are something you can only do when you go balls-in all the way, which is rare. Still much of our security industry only goes into an approach like that on the barest of levels, which causes it to make no sense.
That’s not to say you can’t have a middle ground on the actual discussion on Bejtlich’s post. I only bring up the Jericho position because going to the extreme on field-assessed hetergeneous environments fits nicely with their world view. I probably fall into the bucket that says good measures of both approaches will probably bring the most value.
I’ll never be surprised that Bejtlich falls on the “field-assessed” side of this discussion. In fact, I think most trench-friendly security techs will be sypathetic to that side because it deals a bit more in fact and reality and specifics. Compliance is really made to be friendly to non-techs, both on an assessment side, but also on the consumption of the reports. It’s also the side I tend to be more friendly to, as well.