the quagmire of solving security

Amrit Williams has an awesome post about the state of security, and I thought I’d dive into it. Just to state up front, I agree with some things and disagree with others, but in no way think discussion like this is wrong.

…What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe…

Well, I can confidently say nothing will self-destruct nor any killing catastrophe will happen. People in general are resilient bastards, as is business and technology. In short, life and technology and progress will move on. Sure there may be stumbles and maybe even paradigm-changing events, but that is all still progress, in my book. In short, I don’t believe that sort of belief should exist.

… trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents…

One could argue that we’re not meant to be faster or more agile than our opponents. I’m sure there are military comparisons here somewhere, as well as comparisons to security ever since the first caveman wanted to protect his territory. While the battlefield changes, I really think the core concepts of security really don’t. Why implement more security than you need to meet known and maybe unknown threats? I won’t belabor the point, largely because I won’t go terribly far to defend it. This is just an avenue of discussion that is useful to dive down and dirty into because it helps to figure out people’s religions/beliefs/approaches. I truly believe we need to both react *and* anticipate as much as possible; there is no win, but we don’t have to be drug behind the cart.

Organizations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.

Truth! There is also the need for someone to think like a paranoid nut (trust no one), the need for expert-level knowledge to properly anticipate and bake in security while also meeting requirements, and so on. But as a corrolary to my above paragraph, the question may be whether security will *always* have a major “afterthought” component to it?

For example the concept and delivery of cloud-computing was introduced and then it was realized that the lack of security…was a huge inhibitor to adoption.

I think the cloud is a poor example. This isn’t a technology that consumerland is clamoring for as the obvious answer. I would say the inability to understand how to integrate the “cloud” into one’s own processes is a bigger inhibitor. (Obviously, I’m not counting gmail or CDN services or hosting services as “cloud” providers.) I think security is a convenient bed-buddy for the fact that these cloud services just aren’t to-die-for-and-obviously-must-have-right-now, nor are they consumerland toys. If consumerland had been behind them, like iphones or mobile devices, security would have had far less actual or perceived weight.

Most security professionals lack an understanding of the operational environment that they work within and they lack the ability to modify that environment even if they did.

Absolutely correct. The reverse is often true as well. Operations lacks understanding on security risks and countermeasures. Hell, most of the time they have no managerial pressure to be secure and every managerial pressure to just get shit done as quickly as possible (scarily the same pressures developers have; maybe more to the point, managers won’t notice if security shortcuts are taken or rules wildly bent; hence our exploding role of auditors). This is why I personally feel (and I’m biased) that someone who can claim the roles of experienced security and experienced sys/netadmin are godly. Mix in some business sense, and you’ve got a closet (and probably quiet) rockstar in the back room.

Security must be operationalized, it must become part of the lifecycle of everything IT. This is the theme for 2011: Operationalizing Security.

I’d agree for the most part (even if I stray as these next few paragraphs develop). And this is exactly like baking in security during the dev lifecycle. It also shares the same problems. I also believe while this is necessary, it’s still not the panacea approach either. “Security as an afterthought” will always be around, but we should be building security in at all stages and making sure that it is part of operations.

However, the real challenge is taking this *out* of just the backroom server operations, and making it a part of the business fabric. But that always adds costs, right? So maybe business will say that this doesn’t make sense, why not save money by tacking on security after, and only when needed?

This is the fight the it ultimately boils down to. It’s not about the differences in how geeks or even IT’s overall approach technology and security. It’s a business and cultural decision on the value of security. And I’m not going to hold my breath that this will get very deeply ingrained. Hell, far too many people don’t physically secure their own homes, let alone cyber space, let alone in business. This will only be a slow burn over generations as they are born with and live with technology.

Buisiness constantly puts me into this situation:

“We’d like to implement ABC.”

“Well, you shouldn’t do ABC because it is insecure, goes against policy, and is going to be a risk. This is bad news. In fact, no I won’t do ABC for you. You should do it this other way, or maybe another way.” (Often, the first two sentences are just my own thoughts or discussion in my team.)

“But *can* you do ABC if we asked you to?”

“Well, yes, technically I can do it. I technically can also make your passwords all be the number ‘3,’ but that’s stupid.”

“Well, we need you to do ABC.”

*facepalm* (What is needed is a security-minded person to champion my viewpoint on their [IT development] side of the fence, and then another on the business side. The art is getting all sides to come to the correct conclusion, and having experts enough everywhere to make those correct conclusions attainable.)

This is where business leaders need to step in and make decisions. It is also the place where expert level knowledge of business, technology, and security need to be in place. And that’s insanely difficult, no matter how much we pray to the gods of IT/business alignment.

See? Now I’ve waded down far enough to find myself hipdeep in the quagmire. Go far enough in any direction, and you’ll find it. Yes, more security needs to be operationalized, but let’s not get too religious about it, since it also is not the ultimate answer.