I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion.
I’m also all for action. As a CEO I worked for once told me, “Nothing gets done until someone sells something to someone.” In security that means at some point the controls have to be implemented, the flanks monitored, and the attacks defended. Dave Shackleford gets things done. Quickly. He thinks fast. He talks fast. He’s always moving. He’s like the Tasmanian Devil.
These two got into a Tweet ‘fight’ (whatever that means) last week over Josh’s CSO article The Rise of the Chaotic Actor, Understanding Anonymous and Ourselves. Dave sat down long enough to bang out a response, Less Talk, More Action. I had nothing better to do on a flight home, so why don’t we investigate the gray area between them. Some aspects of both their positions make sense to me. And some don’t – depending on agenda and perspective.
Josh is an analyst. He’s not hands-on anymore. If he hacks anything, it’s in his spare time, which I know is limited. We analysts cannot spend 60% of our time fixing things like Dave. There is too much pontificating to do. We have to influence behavior by writing thought provoking pieces to shake folks out of their day-to-day misery, into thinking a bit more strategically and broadly. That’s what Josh’s piece was about. He makes the case that, once again, our adversaries’ motives are changing – to defend against them we need to understand the new reality.
But Dave has a good point too. Time spent obsessing about how to defend against a collective like Anonymous is time not spent on more active work, such as patching systems, training users, and implementing new controls. Shack points out that if we could spend 10% more time doing things, we probably wouldn’t be quite so screwed. And we are screwed, as the fine folks at Verizon Business point out every year in their DBIR.
As usual, the truth is somewhere in the middle, depending on who you are and what you are responsible for. You don’t always think strategically, and you can’t always be doing things. Dave did toss that into his post. Security architects need to understand the current threats and how to evolve defenses. Those folks need to pay attention to Josh. For them, the chaotic actor is important.
But there are many more practitioners doing poor jobs on fundamentals. A lot more. No matter the size of their company, these folks suck at security. They can’t even walk, so asking them to ponder the dynamics of running a world class 200m race is stupid. That’s Dave’s point. These folks need to fix the steaming piles of their security programs before they worry about Anonymous, or anyone else for that matter. A script kiddie can take them down, so a nation state is off the radar.
As usual, when you push a targeted message like Josh’s widely – such as through CSO Magazine – you are bound to annoy people. When Dave gets annoyed he tends to fire with both barrels, which I certainly appreciate. I know someone like that. To be clear, most folks working on security should spend more time letting Dave teach them the fundamentals, rather than having Josh expand their viewpoints. I think that was Dave’s point.
My point is that it’s up to you to understand whether you should be thinking strategically or tactically at any given moment. There are times and places for both. Fail to recognize your situation and choose the right response, and you will become just another statistic on Kushner and Murray’s survey. You know, the one tracking the average tenure of security folks.