the winning losing security debate

I saw the opening salvo on Twitter that caused the blog post, “You Know What’s Dead? Security…” from Chris Hoff, and he ended up penning a really good read.

I don’t think it is worth much to talk about “winning” or “losing,” ultimately. Security and insecurity are eternally linked to each other. This is maybe the first time where I like Hoff’s blog name: Rational Survivability. It’s really about surviving in an acceptable state, or rather, simply not losing. But there’s no real win going on, and it might be too much to expect a win at any time.

I do think Hoff got a little sidetracked on the commentary on the security industry. I’ll agree, in part, that the security industry isn’t making solutions that are aligned properly. But I’ll go on to say I’m not sure how a “product” of any type will ever truly be aligned enough to feel good about. These are just tools, and none will magically make someone think we’re winning, in whatever context of the word or feeling. If anything, the security industry has a problem in trying to make their tools sound like they solve the world… There’s also just a certain bit of irony stuck in there somewhere that Hoff typically pens about “cloud” stuff… 🙂

If I may dig further, I also dislike the thought of “innovation” in security. Security is a reactionary concept. It reacts to other innovations with attackers, or innovations in the things security is securing, for instance new technology or assets. That may not always happen in practice, but then again some activity just doesn’t end up being rational.