I haven’t met Richard Bejtlich yet, but I have a feeling we’d get along just fine. We’re both fans of the History Channel, have backgrounds in martial arts, love the show Human Weapon (martial arts AND the History Channel!), and have a background in the military (four years on a Navy ROTC scholarship, but I ended up becoming a paramedic instead of going active duty).
That said, I have to slightly disagree with his latest post where he criticizes Jay Heiser, my friend and former colleague, for being “anti-military”. As usual, I’ll be my slimy self and take a position just between my associates. I think I lived in Boulder, Colorado for too long or something – it made me go all soft.
Jay’s original article discusses how we, in non-military information security, need to leave the military mindset behind.
Military defense models are great for the military, and (as Richard’s post demonstrates) often contain some extremely valuable principles and techniques we can translate into non-military security. The problem with trying to follow military principles too closely is that they don’t translate well in two dimensions:
- The Mission: The mission of the military is dramatically different than that of most private businesses. The military is completely defined by the mission of defending the nation, from culture, to org structure, to every policy and procedure. That mission also creates a unique risk profile that doesn’t translate well to the civilian world. Sure, on the Internet we’re all targets, but when you combine the mission and risks of the military it drives policies and procedures that will be very different than what we civvies need. There’s overlap, but the devil is in the details and trying to push military models in commercial enterprises nearly always fails (unless we stick to very abstract levels, as Richard does in his post).
- The Culture: Human behavior doesn’t change, but one of the most powerful aspects defining behavior is culture. All organizations have a culture, whether they want it or not. I define culture as the instinctive behavior of employees; within an organization it’s what someone does without thinking. The military culture is one of the most powerful in existence, defining everything from haircut, to dress, to speech patterns. It’s been fourteen years since I left the Navy (and I was only active for summer training), and people can still tell. Civilian corporate culture is wildly divergent from military culture, and this limits the effectiveness of many military solutions to security problems.
We still have a lot we can learn from the military (and law enforcement, for that matter), and shouldn’t throw out the bath water out with the baby, but we need to pay better attention to which lessons we bring over, and increase the rigor of how we translate those for private enterprises. Some examples?
- Defense style data classification doesn’t work outside of defense/intelligence/government.
- Certification and accreditation are a waste of time and resources (probably for the government as well as the rest of us, but that’s for another post).
- Common Criteria below EAL-5 doesn’t provide any significant value in assessing the security of a product.
I’ll keep telling budding information security pros to learn history, read Sun-Tzu, familiarize themselves with the Orange book, and study military principles, but it’s equally important to show them where these models don’t work in the private sector, why, and how to translate them into something effective for us civilians.