Rocky DeStefano had a great post today on FudSec, Liberate Yourself: Change The Game To Suit Your Needs, which you should read if you haven’t already. It nicely highlights many of the issues going on in the industry today. However, I just can’t agree with all of his assertions. In particular, he had two statements that really bothered me.
Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk. Risk to the mission, risk to the business not the risk to an asset. We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary.
In a perfect, security and risk oriented world, I would agree with this 100%. The problem is, that from the business perspective, what they have in place is usually sufficient to do what they need to do safely. I’m a big fan of using risk, because it’s the language that the business uses, but this isn’t really a compliance versus security vs risk issue. What needs to be communicated more effectively is what compliance to the letter of the law does and doesn’t get you. Where we have failed as practitioners is in making this distinction and allowing vendor and marketing BS to convince business folks that because they are compliant they are of course secure. I can’t count the number of times I’ve had folks tell me that they thought being compliant with whatever regulation meant they were secure. Why? Because that’s the bill of sale they were sold. And until we can change this basic perception the rest seems irrelevant. Don’t blame the security practitioners; most of the ones I know clearly express the difference between compliance and security, but it often falls on deaf ears.
But what really got my goat was this next section:
As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives? We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business. We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?
I don’t know who Rocky has been talking to, but I don’t know a single security practitioner who thinks that compliance was the way to go. What I’ve seen are two general schools of thought. One is to rant and rave that everyone is doing it wrong and that compliance doesn’t equal security, but then engages in the compliance efforts because they have no choice. The other school is to be pragmatic and to accept that compliance is here to stay, and do our best within the existing framework. It’s not like we as an industry ‘let’ compliance happen. Even the small group of folks who have managed to communicate well with the business, be proactive, and build a mature program still have to deal with compliance. As for Rocky’s “buildng codes” and “point in time” snapshots, for a huge segment of the business world, this is a massive step up from what they had before.
But to answer Rocky’s question, the failure here is that we told the business, repeatedly, that if they installed this one silver bullet (firewalls, AV, IDS, and let’s not forget PKI) they’d be secure. And you know what? They believed us, every single time, they shelled out the bucks and we came back for more, like Bullwinkle the Moose “This time for sure!” We told them the sky was going to fall and it didn’t. We FUDed our way around the business, we were arrogant and we were wrong. This wasn’t about selling our souls to compliance. It was about getting our asses handed to us because we were too busy promoting “the right way to do things” and telling the business no rather then trying to enable them to achieve their goals.
Want an example? Show me any reasonable evidence that changing all your users’ passwords every 90 days reduces your risk of being exploited. No wonder they don’t always listen to us.
Reader interactions
39 Replies to “Changing The Game?”
@Chris Hayes – thanks for the link, I’ve grabbed the file, will give it a read in the coming days/weeks.
@Chris Hayes, Rich – What concerns me is that, in looking back at previous FTE security gigs, I don’t recall any direct interaction between info risk mgmt proponents and people performing business risk analysis on a daily basis. In fact, I’d be hard-pressed to tell you who on the business side was doing the risk analysis and mgmt. I’d wager that I’m not alone in that experience.
I understand the ties between info risk mgmt and traditional business risk mgmt, but it makes me nervous that we often talk about things like “business alignment” and yet we’re not necessarily interfacing with the business, or at least not with the right business people. So, my concern is perhaps less about how we’re doing things (formal info risk mgmt methodology) and more about who we’re engaging on the business side, or if there is even consistently someone on the business side with whom we could interface.
I think we need to also remember that the vast majority of businesses in the US are small businesses. Citing the big insurance and finsvcs companies is great, because it provides an anchor, but is that just the 20 of the 80/20 rule? Or can one safely estimate that the vast majority of companies, regardless of size or industry, are doing formal risk mgmt? I don’t know the answer, but the possible answers make me nervous. It’s hard to be credible with the business if they have no idea what you’re talking about…
>One of the best ways I have had the probability vs. possibility concept explained to me is from
> Jack Jones the founder of the FAIR methodology. Imagine you have a revolver with one bullet in
> the cylinder and a semi-automatic pistol with a full magazine one round in the chamber.
I thought of a different interpretation, just thinking of the revolver:
“Possibility” is defined by the logic of the pistol — firing pin, trigger, ammo chambers, barrel, etc., plus the existence of bullets. Whether it’s possible to fire on the next squeeze of the trigger is determined by this logic. If there are no bullets in existence, or of the pistol logic is screwed up, then there is no possibility of firing.
“Probability” of firing a bullet on the next squeeze of the trigger is defined by the configuration of bullet(s) in the chamber(s), relative to the firing mechanism. (Or, it’s defined by your information about bullets and chambers, from a Bayesian perspective).
Chris,
I can’t thank you enough for the insight you are bringing to this and the related threads.
When I first joined Gartner I was schooled on risk by our financial services team, lead by someone who came out of executive management in the insurance industry. It dramatically changed my naive perspectives at the time.
The problem I think we have in infosec is that the economics are skewed to distort risk analysis (see my post on the anonymization of losses), and we fundamentally lack the proper data to make truly informed risk decisions.
I do think we are creeping slowly in the right direction- the Verizon report is one example on the data front, and it’s the main reason we are focusing so much on metrics models.
One area where I do think we need to be cautious is the need in many financial and insurance models to tie everything to monetary value. Since “loss” has a different meaning in the digital world due to us usually not losing access to the asset as with physical loss, the models don’t fully translate.
That said anyone following this post who hasn’t studied both ERM and some of the major financial models should give them a look.
@Ben
“…cared to understood…” – obviously should be “cared to understand” durrrrr
@Chris Hayes – yes, true, hopefully one in the same, but I was more concerned that we were once again, as an industry, promoting a bottom-up approach to people who neither understood nor cared to understood the language we were using. I’d love to see how those discussions of business risk run in daily operations. How well do our info risk conversations align with that? I still see a lot of blank looks on the faces of business folks when the topic of info risk mgmt comes up…
@Mortman. Yes. It would be both a pleasure and a privilege. I will DM you my contact info.
@Ben – I would submit that information risk is business risk. Regardless, yes – I see business units at my employer that employ formal and at times very complex decision making methods. I have also witnessed non-information “risk issues” that are managed very formally – often in manners more stringent then information risks because of the implications (market risk, product risk, legal risk, etc..). In financial services – specifically insurance and given our economy – how would we even stand a chance of being ethically competitive?
@Chris Hayes
“I have performed password frequency related risk assessments for a business unit wanting to accommodate some of its