Planning vs. Acting

By Mike Rothman

I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion.

I’m also all for action. As a CEO I worked for once told me, “Nothing gets done until someone sells something to someone.” In security that means at some point the controls have to be implemented, the flanks monitored, and the attacks defended. Dave Shackleford gets things done. Quickly. He thinks fast. He talks fast. He’s always moving. He’s like the Tasmanian Devil.

These two got into a Tweet ‘fight’ (whatever that means) last week over Josh’s CSO article The Rise of the Chaotic Actor, Understanding Anonymous and Ourselves. Dave sat down long enough to bang out a response, Less Talk, More Action. I had nothing better to do on a flight home, so why don’t we investigate the gray area between them. Some aspects of both their positions make sense to me. And some don’t – depending on agenda and perspective.

Josh is an analyst. He’s not hands-on anymore. If he hacks anything, it’s in his spare time, which I know is limited. We analysts cannot spend 60% of our time fixing things like Dave. There is too much pontificating to do. We have to influence behavior by writing thought provoking pieces to shake folks out of their day-to-day misery, into thinking a bit more strategically and broadly. That’s what Josh’s piece was about. He makes the case that, once again, our adversaries’ motives are changing – to defend against them we need to understand the new reality.

But Dave has a good point too. Time spent obsessing about how to defend against a collective like Anonymous is time not spent on more active work, such as patching systems, training users, and implementing new controls. Shack points out that if we could spend 10% more time doing things, we probably wouldn’t be quite so screwed. And we are screwed, as the fine folks at Verizon Business point out every year in their DBIR.

As usual, the truth is somewhere in the middle, depending on who you are and what you are responsible for. You don’t always think strategically, and you can’t always be doing things. Dave did toss that into his post. Security architects need to understand the current threats and how to evolve defenses. Those folks need to pay attention to Josh. For them, the chaotic actor is important.

But there are many more practitioners doing poor jobs on fundamentals. A lot more. No matter the size of their company, these folks suck at security. They can’t even walk, so asking them to ponder the dynamics of running a world class 200m race is stupid. That’s Dave’s point. These folks need to fix the steaming piles of their security programs before they worry about Anonymous, or anyone else for that matter. A script kiddie can take them down, so a nation state is off the radar.

As usual, when you push a targeted message like Josh’s widely – such as through CSO Magazine – you are bound to annoy people. When Dave gets annoyed he tends to fire with both barrels, which I certainly appreciate. I know someone like that. To be clear, most folks working on security should spend more time letting Dave teach them the fundamentals, rather than having Josh expand their viewpoints. I think that was Dave’s point.

My point is that it’s up to you to understand whether you should be thinking strategically or tactically at any given moment. There are times and places for both. Fail to recognize your situation and choose the right response, and you will become just another statistic on Kushner and Murray’s survey. You know, the one tracking the average tenure of security folks.

No Related Posts


There is some truth in what you say. It is important to evaluate threats. But a few retorts to your comments:

1. I did not ignore the audience, not in the least. I think if you are insinuating that “security leaders” should be folks reading drivel that really helps them very little, I have to ask - what kind of “leaders” are these? Let me direct you to Richard Bejtlich’s blog on qualities of leadership:

Real leaders lead by doing, and understanding what their “do’ers” are in fact doing. You have actually helped make my point about the state of things today - too many “leaders” who pontificate and throw around fun buzzwords like “risk” and “metrics” and “governance”, with little to no time spent on understanding the actual technical nature of the environment they work in or the attack landscape. I meet a lot of “security leaders” who are so desperate to “fit in” to “the business” that they neglect the nuts and bolts of what is fundamentally a technically-oriented discipline. And that is sad, if not pathetic.

2. Stopping things that aren’t effective is a great idea. Let me ask you this, though, in the context of the current discussion - knowing about “Anonymous” and other types of attackers changes exactly WHAT for you? What will you do differently? Where will you allocate more or less operational time? I think this kind of knowledge does exactly NOTHING for your overall security program unless a) you are a state agency that has to concern itself with groups of attackers that are politically motivated, or b) you have been specifically identified as a target, and need to react against a specific enemy.

By Shack

While Dave may make a good point, he is ignoring the audience.  The article was in CSO magazine, which is targeted at security leaders, not security do’ers.  They need to be keeping an eye on the horizon. 

As for spending more time doing things, it is far more important to evaluate the threats we really face so we can have a security posture grounded in current reality.  We need to _stop_ doing some things that aren’t effective so we can find that additional 10% of time.  Knowing the difference between what works and what doesn’t takes time, but it is time well spent.

By ds

Hi RH,

Except that i’m not. I’ve been there, and appreciate the whole “water cooler” thing. However, i see way too many security managers who wrap themselves in “governance” and rhetoric. C’mon. I’m not ignorant to understanding the risk and threat landscape. But all talk, and reciting the latest incedible “news story” does ... What? Ours is a discipline technical in nature, and relies on technical acumen to fully understand and articulate risk. If your career is built on “water cooler” topics, i’ll likely be reading about your organization in the news in the future. I for one have had enough of the “strategists” with no tactical knowledge or understanding.

By Shack

Both of them are looking at different layers of the same pie.
CEOs and boards are not oblivious to security anymore. Its coming at them from their news shows (Stuxnet, Facebook-olutions in the ME), their kids (Sony PSN going down (and up, and down)), their government, etc. etc.

They want to know where they stand in the scheme of things without listening to the ages-old FUD. For those that need to do this explaining (and thus get the funding) and then to also better allocate those funds, Josh’s layer of the pie (the dough?) is the focus, his analysis, more than just being a different way of looking at the threat models also is closer to a non-security person’s way of looking at the world.

I think Dave mistakenly underestimates the importance of the water-cooler.

By R H

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.