simple isn’t simple

(That’s the best title for this; afterspending a few minutes staring slack-jawed for a better idea, I figured I’d just steal the title.) Rich Mogull wrote a DarkReading piece, “Simple Isn’t Simple,” (and companion Securosis mention) that I think everyone should read. This part stood out to me:

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. …I am saying we need to recognize that it’s hard at all levels. That even the easy parts are nearly universally difficult in practice.

This is one reason I often sacrastically wonder aloud whether some people who talk security only do security in their one-room office with 2 computers and an all-in-one fax/printer and ActionTec DSL/wireless router. Likewise, I appreciate anyone who understands which “easy” best practices are, in *real* practice, really difficult for various reasons. (Dare I say that a little empathy goes a *long* way to helping embattled security managers/analysts? And please don’t tell our execs what we should be doing in a tone that makes it sound easy!)

This is also one place where it probably sucks to be a QSA. You have one-liner PCI requirements and practices on one side, and a real world operation on the other. And then you tell them they need to rearchitect their network/systems…at what cost again? And it needs to be done before the next audit? Does the QSA know all the little things operations does to hide or cover issues when backs are against a wall? Maybe we should talk incremental improvements? (If Josh Corman needs more ammunition in his PCI debates, talk about going from no security to full security in one audit cycle and how healthy that will turn out to be! Hey, it might work…)

The only real easy part is when you get to buy a piece of technology and slap it in and it just works, say a card-activated magnetic door lock. But so much in security requires process (maintaining access, following up on logs, checking out anamolies, verifying proper working order, maintenance, safety…), which isn’t going to be very easy any time soon and is excrutiatingly hard to measure.