An Optimistically Fatalistic View Of The Futility Of Security
Hoff (and some others) have been talking a lot about hope and the future.
Chris has dedicated most of his recent posts to making us think differently about security. To drop our archaic models of the past and look towards solutions for the future. It’s a noble goal, one I support completely. Dr. Eugene Spafford, a seminal figure in information security, is also dedicating effort to the cause. I’m firmly in their camp and believe that while we don’t need an entirely new model for security, we definitely need to evolve. Information Security has been little more than basic network security and antivirus ever since Code Red and Melissa hit.
But that’s not important right now.
The essential questions are, “will we win?” And “do we make a difference?”
These questions are non-trivial and endemic to the human condition. Anyone, in any occupation, who is invested in what they do will frequently use these questions to position themselves in the world. For some an occupation is merely a way to pass the hours and pay the bills; these automatons contribute to the status quo, but don’t help society evolve. For the rest of us our occupation is an essential component of our identity. We define ourselves by our occupation, and define our occupation as we want to define ourselves.
I’ve worked in public safety my entire adult life, and spent most of my childhood, purposefully or not, preparing for my strange career. Over the years as I worked in different positions throughout public safety, from physical security, to emergency medicine, to information security, I was challenged by difficult questions of conscience.
When I started in emergency medicine, I had to reconcile the thrill of the job with the fact that I achieved professional satisfaction only through the pain and suffering of others. As much as I wanted to try that new procedure, or be on that big call, I had to accept that for me to exercise my skills, someone needed to suffer injury or illness. I reconciled such a potentially twisted mentality by realizing that it wasn’t that I wanted someone else to suffer, but I wanted to do my job and do it well. People will get hurt, sick, and die with or without my involvement; I was a professional and wanted to do the job I was highly trained for. If something was going to happen, I wanted to be the one to be there. As my experience and confidence grew, I also began to believe that the better I was at my job, the less that victim (or the family) would suffer.
Physical security was similar, but involved some slightly more complex mental gymnastics, which every cop and (I expect) soldier experiences. While as a medic you relieve pain and suffering, in physical security you often inflict it. We all loved the rush of breaking up a fight or catching a bad guy. There is an undeniable thrill in being authorized to use physical force on another human being- not a thrill of sadism, but the same emotions evoked by the sports we use to sublimate physical combat. In those cases my goals became to use as little force as possible and de-escalate situations verbally. Violence was not the objective; it was the last tool available to protect others.
I’d like to call it altruism, but the truth is there are visceral thrills and deep satisfaction in managing the challenges of emergency medicine, rescue, and physical security. I learned to accept this motivation without guilt, since the goals of safety and security called for such commitment. When safety and security become excuses to do bad things, that’s when a very bad line is crossed.
But back to security.
In information security we may not be faced by the prospects of blood and guts, but those of us “in the industry” need to accept that we make our money off the pain of others. There’s nothing wrong with this so long as we don’t take advantage of our clients. I’m not just talking about vendors; we in internal security also provide a service to a client. My personal philosophy around this is that I won’t lie or try to frighten just to enhance my own income, but I’ll tell the truth and charge what I think is fair value for my services. I also still perform some volunteer work for those who need the help but can’t afford it.
Security professionals earn our daily bread from fear and pain (sometimes very abstract pain, but pain nonetheless). There’s nothing wrong with that, but it does convey a responsibility not seen in other occupations.
The big question I haven’t addressed, one that underlies pretty much any occupation, is, “Do I make a difference?”
Psychologically I believe all humans fundamentally need to make a difference. It’s hard wired into our brains. If we’re not making a difference, we have only one of a few possible reactions. We can disengage from that activity and find fulfillment in other parts of our lives, or disengage from life completely. As sad as that sounds, we all know people who don’t see the meaning of their life and instead turn to a never-ending trail of distractions. We can also deceive ourselves and create illusions that we matter; I suspect many mountains of bureaucracy have been built on such falsehoods. We can also seek satisfaction elsewhere; actively finding a new job or career.
We can also do the absolute best job possible, fight the good fight, and try to rise above any limiting circumstances.
As a paramedic I may have been the one who saved a few lives and reduced a little suffering, but the reality is that if I hadn’t been there, someone else would have been. In mountain rescue we operate as a team and it’s a group of 40 or so people, not some lone hero, that makes the save. But although I personally wasn’t essential, and the rescue would have happened without me, society depends on collective actions to survive and progress. If no one cares, none of us matter.
We face the same mental and emotional challenges in information security as in physical security, law enforcement, the military, or emergency services. At times we feel helpless- that the business will always ignore us and we’ll never be able to solve even the most obvious of problems.
But that’s not what matters. People smoke, drink, do drugs, eat fatty foods, don’t exercise, drive fast, run red lights, and vote against school budgets. Society still continues, and public servants still work hard and derive immense satisfaction from their work. Sometimes it’s the satisfaction of helping just one person, other times it’s the satisfaction of managing a complex situation with elegance, and sometimes it’s that one action you took that makes a difference on a large scale.
Just because we can’t fix the world doesn’t mean we shouldn’t try. We need to accept human fallibility, understand out own motivations, and do the best job possible. We can’t make all programmers secure coders, but we can educate them to the best of our ability and develop the most effective security controls possible. Home users will always click on things they aren’t supposed to, so we protect them as best we can and don’t blame them for not having a black belt in security-fu. Some vendors will lie, cheat, and steal their way into the market- but we evaluate, use the tools that work, and use market forces as best as possible to pull the others into usefulness. We can’t call everyone stupid who doesn’t believe in our new model or vision for solving security, but we can use those models to help people think differently and perhaps make small improvements.
As corny as it sounds, the future of an information-based society relies on those who secure it. We absolutely matter. We should use the day to day frustrations we all experience as excuses to find better ways to do our jobs.
We’ll never win. The battle started long before computers, and will continue long past any of us. But society perseveres, we always seem to get the job done, and we can derive infinite satisfaction from jobs done to the best of our ability. Individual we only matter to ourselves and a small circle around us, but collectively that circle grows and moves societies.
Maybe. Or maybe I just lived in Boulder a little too long…
rybolov Oct 18
Hi Rich
Maybe you and Richard Steinnon need to have a little chat. I think you could help him understand why his customer isn’t happy. =)
http://blogs.zdnet.com/threatchaos/?p=483
As for myself, about once a month I have a day of complete panic where I realize that maybe we should forget all of this IT stuff and go back to filing cabinets and index cards. Then I get over it and keep on pushing.
Your mental gymnastics of a soldier is correct, although usually the trick is “How do I flank these guys and find a spot where they’re as heavily gunned?” or “How do I trap these guys so they don’t escape?” or even “How do I close to within assault range so I can actually kill these guys?”
Adrian Lane Oct 18
Fixing security is a little like fixing human beings. We’re all a little wacky and screwy in our own way, slightly mis-wired, and we are not going to be perfect. Security, because it involves people, in the same way will not be perfect unless it renders the basic service we are trying to secure inoperable. I just keep trying to get close enough, often enough, to make a difference. Great perspective and a great post. Thanks.
windexh8er Oct 18
If security, as it applies to information systems of today, is truly fatally futile (as stated) then I think we are thinking with the wrong perspective of what information security really is. I guess I would think, Rich, you might view security as it relates to your past profession in medicine a little closer. The playing field is never the same. Just because there isn’t a drug for every disease doesn’t mean the outlook is fatal. If that were the case and everyone thought along those lines medicine research would be a bust and everyone would stop wasting their time on the possibility of running into a dead end. Sure, medicine has side-effects — so does medicine. I’m just saying that if anyone ever thought security was a game of capture the flag and all we needed to do was complete that mission then those who think on those lines are in the wrong industry.
In the end there’s always reactive and proactive forms of battling the attacks, exploits, and clueless users. If the proactive form doesn’t give a feeling of self accomplishment too bad, it’s the nature of the beast. Information security will never always be first and foremost on executives minds. It’s the business itself that is the component of interest and if we can protect that as best as possible then it’s a rewarding experience at some level.
windexh8er Oct 18
“Sure, medicine has side-effects — so does medicine.” — in the event of trying to beat a dying batter I mean to state “…so does information security.”
rmogull Oct 18
@windexh8er: I think I could have done a better job of explaining myself. It’s not that I think security is futile, but that the concept of “solving” security is. I love what I do and wouldn’t choose to do anything else (well, maybe Astronaut). I see what I do now exactly as a direct extension of my career in medicine/rescue; one with potentially much greater impact.
I am, personally, immensly satisfied with what I do. This post was an unusual way of expressing that, and was inspired by the general depression I’ve been sensing from some of my collegues in the industry. Personally, I focus on doing the best job I can and widening my circle to change as much of the world as possible, hopefully through real innovation. But I also don’t get all weepy when human nature won’t change to accomadate my world view.
Of course, re-reading the post it’s kind of darker than I planned!
windexh8er Oct 18
I definitely think that the post was a great pulse on some of what the industry seems to be expressing. And a great post it is — I was just surprised at some of what you had stated, probably mostly the title of the post.
Regardless — very interesting and keep up the personal views!
Christofer Hoff Oct 18
Well, I summed it up in my last post.
I agree completely with the fact that the mission of Information Security is not a battle that can be won.
I don’t know about you, but it seems (as your title implies) that if something is futile, it doesn’t really make sense to continue to invest in it.
Go look at the definition of Information Survivability versus Information Security. It’s what, in my opinion, that folks should be investing their efforts in.
BTW, I’m not weeping because I can’t convince humanity to change their nature. I’m actually not weeping at all. I’m very, very happy.
Why? Because my viral marketing campaign is working precisely as I want it to. It’s being talked about.
For every 5 comments dismissing my awareness campaign, I get 10 emails of people who may not agree in entirety, but are starting to *THINK* rather than just do.
Making a difference is perceived in different ways…
However, I can’t figure out if you are agreeing or mocking me due to statements like this “Just because we can’t fix the world doesn’t mean we shouldn’t try. ”
That’s exactly my point.
Good post.
/Hoff
http://rationalsecurity.typepad.com/blog/2007/10/information-sec.html
rmogull Oct 18
Perhaps I need to re-write the post- I am, completely and utterly, agreeing with you. No mocking, no sarcasm. I too am extremely happy and love what I do. It’s a worthy cause, and one I’ve dedicate my life to. I’m purposely furthering your campaign.
We should absolutely invest in it, that’s not what I meant at all!
But I think the naysayers in our industry need to either get over it or move on. If you find yourself blaming others for being human, move on. If you can’t get satisfaction and fulfillment and complain that it’s because the “world” doesn’t listen? Get over it or move on.
I’ll be fighitng the good fight to the end, as will you, and loving every minute of it. I’ll continue to try to change minds, but not take it personally if folks are folks.
And the more you and I talk about this, the better.
Stiennon Oct 19
Your comments help clarify what you are trying to get across Rich. I have picked up on the malaise from a couple of bloggers as well. It may just be frustration that often comes to those that are no longer hands on. As you know from your analyst days, watching, observing, and prognosticating is not as satisfying as doing.
This might help those of us who are experiencing Churchillian black moods:
Don’t ask the question “will we win?” Ask the question “will we lose?” The answer to that is a resounding “Hell no!”
-Stiennon
Christofer Hoff Oct 19
@Stiennon:
I think that strangely out of everything I’ve been witness to you saying or reading, your last comment was the most profound.
I was literlly *just* thinking that most of the people harping against change and innovation (which is really the heart of what we’re talking about here) ARE operational.
Of course they are, which is why they have a hard time letting go.
@Mogull
Thanks for the clarificiation. Don’t re-write it.
/Hoff