Rocky DeStefano had a great post today on FudSec, Liberate Yourself: Change The Game To Suit Your Needs, which you should read if you haven’t already. It nicely highlights many of the issues going on in the industry today. However, I just can’t agree with all of his assertions. In particular, he had two statements that really bothered me.
Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk. Risk to the mission, risk to the business not the risk to an asset. We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary.
In a perfect, security and risk oriented world, I would agree with this 100%. The problem is, that from the business perspective, what they have in place is usually sufficient to do what they need to do safely. I’m a big fan of using risk, because it’s the language that the business uses, but this isn’t really a compliance versus security vs risk issue. What needs to be communicated more effectively is what compliance to the letter of the law does and doesn’t get you. Where we have failed as practitioners is in making this distinction and allowing vendor and marketing BS to convince business folks that because they are compliant they are of course secure. I can’t count the number of times I’ve had folks tell me that they thought being compliant with whatever regulation meant they were secure. Why? Because that’s the bill of sale they were sold. And until we can change this basic perception the rest seems irrelevant. Don’t blame the security practitioners; most of the ones I know clearly express the difference between compliance and security, but it often falls on deaf ears.
But what really got my goat was this next section:
As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives? We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business. We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?
I don’t know who Rocky has been talking to, but I don’t know a single security practitioner who thinks that compliance was the way to go. What I’ve seen are two general schools of thought. One is to rant and rave that everyone is doing it wrong and that compliance doesn’t equal security, but then engages in the compliance efforts because they have no choice. The other school is to be pragmatic and to accept that compliance is here to stay, and do our best within the existing framework. It’s not like we as an industry ‘let’ compliance happen. Even the small group of folks who have managed to communicate well with the business, be proactive, and build a mature program still have to deal with compliance. As for Rocky’s “buildng codes” and “point in time” snapshots, for a huge segment of the business world, this is a massive step up from what they had before.
But to answer Rocky’s question, the failure here is that we told the business, repeatedly, that if they installed this one silver bullet (firewalls, AV, IDS, and let’s not forget PKI) they’d be secure. And you know what? They believed us, every single time, they shelled out the bucks and we came back for more, like Bullwinkle the Moose “This time for sure!” We told them the sky was going to fall and it didn’t. We FUDed our way around the business, we were arrogant and we were wrong. This wasn’t about selling our souls to compliance. It was about getting our asses handed to us because we were too busy promoting “the right way to do things” and telling the business no rather then trying to enable them to achieve their goals.
Want an example? Show me any reasonable evidence that changing all your users’ passwords every 90 days reduces your risk of being exploited. No wonder they don’t always listen to us.
Reader interactions
39 Replies to “Changing The Game?”
Hi Ben!
I know of several companies with ERM programs.
Thank you,
Alex
@Mortman. Interesting request. A FAIR analysis can be used to demonstrate variance in resistance strength (formerly referred to as
I’m talking about *business* risk, not *information* risk. I know people are doing info risk management. What I’m wondering is what we’re allegedly mapping to in terms of business risk management. It seems like we’re doing a whole lot of formalized “stuff” while the business just intuits its way through things.
@Ben
I have a dumb question (it’s apparently my theme for the week)… are businesses actually doing formal risk analysis and risk management today /at the business level/? Except for M&A, I can’t think of any time that I’ve seen it done. It reminds me of taking Decision Analysis in grad school… as I sat in the class drawing decision trees I wondered “who actually does this stuff?!?” The same now occurs to me around formalized risk management… it almost seems like most decisions are made off the cuff, with discussion, but not with much in the way of formalized calculation or consideration… it seems that only the “really big decisions” have much rigor, while everything else is just “managed” as part of daily operations/SOP.
Thoughts? Observations?
TIA!
@Chris Hayes
We are so on the same page. And you are right, this is much easier said then done. As you said, there are a ton of factors that go into such a calculation. The question is how do we get to a more reasoned estimate? You have a ton of data from your employer, any chance you can do a FAIR analysis and tell us what you get?
@David Mortman
This debate on the email question inspired another post on controls vs. outcomes: http://securosis.com/blog/security-controls-vs.-outcomes/. It was too much to squeeze into a response…
@Chris Hayes
You make a great point. Namely that there are other risks other then passwords being cracked that need to be worried about, such as password sharing. Other concerns, include password theft from phishing and whatnot.
My concern is still that 90 days is completely arbitrary. We as an industry made up a number that made us feel happy on the basis of absolutely no evidence whatsoever that 90 days is useful. Now we are stuck with it because it is ensconced in various regulatory requirements such as PCI, so now this debate is moot (cue 1980’s Jessie Jackson SNL skit).
“Finally, changing passwords on a frequent basis for IDs that are
For those who don’t read Rybolov’s blog, @Mark Wallace is referring to this post: More on the Rybolov Information Security Management Model (http://www.guerilla-ciso.com/archives/1406)