Monthly Archives: March 2015

Failing Security Kindergarten

Now with APT detection and automated analysis to instantly identify cyber attacks!*

I’m fascinated by the continuously evolving hype-fest surrounding the latest “innovations” in security products. Not that our current methods couldn’t use some creative approaches, but the problem is that security leadership often gets dazzled by feature road maps that have as much substance as the wisps of smoke from a genie’s bottle. The media isn’t much help, often accepting the industry’s claims with little to no validation. Inevitably, organizations surrender to the glittering new toy, sinking their precious cash into something they thought would magically restore their faith in security. Then the harsh reality hits and they realize that the only impact the tool had was on their budget, failing to improve their security posture by even an angstrom. This is how organizations fail security kindergarten.

Most enterprises would be better served by investing in the ABCs of security: documentation, policy, procedures, and essential controls. I’m mystified by organizations that will invest over 500k in fancy breach detection systems, but won’t spend a dime on centralized log correlation. The sad truth is that the basics aren’t sexy. It’s hard to “sell” critical security controls such as account monitoring, data classification and handling standards when the news is filled with stories of China hacking health insurance companies. Maybe security professionals could make more of an impact by dropping the FUD and educating leadership about the necessity of having a solid foundation. Sprinkles are great, but they don’t mean much without a tasty doughnut underneath. Besides, sprinkles are for winners.donut

*An actual line from a security vendor’s web site.

Tagged , , ,

Security Theater of the Absurd

“The tears of the world are a constant quantity. For each one who begins to weep somewhere else another stops. The same is true of the laugh.”  – Waiting for Godot

In Samuel Beckett’s infamous absurdist play, Waiting for Godot, characters engage in pointless dialog and activity while waiting for an eponymous fellow who never arrives.  I’ve always found it a tedious piece of literature, barely staying awake through the second act, which seems to exist solely for the purpose of torturing its audience. But isn’t despair the point of Theater of the Absurd?

Recently, I’ve come to realize that this play represents a perfect analogy for the daily grind of information security work. Lots of preparation for that big breach that may or may not arrive during your tenure. It often feels like the height of absurdity, going through the motions just like the two main characters, Vladimir and Estragon. Often, being in information security feels like a slow simmer of stress, sapping your energy and engagement, overwhelming you with the minutia of operational tasks: malware remediation, vulnerability management, compliance initiatives. It’s an endless exercise of cycling through superstitious behaviors that may or may not result in the reduction of risk, like throwing salt over your shoulder to keep the Devil away.

Theatrical critics have spent decades bickering over the play’s meaning, which only pales in comparison to how much information security professionals argue about how to accomplish their goals. In the end, it doesn’t really seem to matter. Organizations continue to disagree about the implementation of security controls to reduce risk; they’re breached, blaming the current leadership. A fresh team is brought in and the cycle begins again, like some reincarnation of Sisyphus rolling a stone up the hill only to be crushed by the weight of inevitable failure.

“There’s man all over for you, blaming on his boots the faults of his feet.”Waiting for GodotDirty_boots

Tagged , , ,

Does IT Security Matter?

A few months ago I came across an article by Nicholas Carr called, “IT Doesn’t Matter.” It was published by the Harvard Business Review in what seems like the Paleolithic era of 2003, but I was shocked by its relevance. At the time, it caused quite a controversy with many mocking Carr’s predictions, but with ever-increasing outsourcing and the commoditization of compute, it seems even more relevant. If you’re working in any sector of IT today, then you’ll find many of his ideas shockingly prescient.

In the article, he manages to call out IT on it’s over-inflated ego, its annoying self-importance and tunnel-vision with regards to the rest of the business. Twelve years later, IT still manages to create an idolatrous following among staff, convincing senior leadership that it’s central to an organization’s strategy, even as it continues to fail the business.

It’s a reasonable assumption, even an intuitive one. But it’s mistaken. What makes a resource truly strategic – what gives it the capacity to be the basis for a sustained competitive advantage – is not ubiquity but scarcity. You only gain an edge over rivals by having or doing something that they can’t have or do. By now, the core functions of IT – data storage, data processing, and data transport – have become available and affordable to all. Their very power and presence have begun to transform them from potentially strategic resources into commodity factors of production. They are becoming costs of doing business that must be paid by all but provide distinction to none.

…as their availability increased and their cost decreased – as they became ubiquitous – they became commodity inputs. From a strategic standpoint, they became invisible; they no longer mattered. That is exactly what is happening to information technology today, and the implications for corporate IT management are profound.

However, the part of the article that really caught my attention was where he points out that IT actually increases organizational risk.

When a resource becomes essential to competition but inconsequential to strategy, the risks it creates become more important than the advantages it provides. Think of electricity. Today, no company builds its business strategy around its electricity usage, but even a brief lapse in supply can be devastating (as some California businesses discovered during the energy crisis of 2000). The operational risks associated with IT are many – technical glitches, obsolescence, service outages, unreliable vendors or partners, security breaches, even terrorism – and some have become magnified as companies have moved from tightly controlled, proprietary systems to open, shared ones. Today, an IT disruption can paralyze a company’s ability to make its products, deliver its services, and connect with its customers, not to mention foul its reputation. Yet few companies have done a thorough job of identifying and tempering their vulnerabilities. Worrying about what might go wrong may not be as glamorous a job as speculating about the future, but it is a more essential job right now.

Sound familiar?  Consider some of the recent breaches such as Target, Home Depot and Sony. This presents an odd contradiction, as IT becomes less relevant to business strategy due to its ubiquity, information security becomes more critical.

But Information Security will only deliver value if it understands context. I consider this as I recall recent conversations I’ve had with other security professionals in which they lament how misunderstood they are and how little the business appreciates what they do. The problem is that many don’t respect the people who generate the revenue allowing them to have jobs. Often they’re so busy focusing on the minutia of finding vulnerabilities and exploiting them, that they can’t pull back to understand that this only delivers value if it helps to reduce overall risk to the organization.

Tagged , , ,
%d bloggers like this: