Table Stakes

By Rich

This morning I published a column over at Dark Reading that kicked off some cool comments on Twitter. Since, you know, no one leaves blog comments anymore.

The article is the upshot from various frustrations that have annoyed me lately. To be honest, I could have summarized the entire thing as “grow the f* up”. I’m just as tired of the “security is failing” garbage as I am with ridonkulous fake ROI models, our obsession with threats as the only important metric, and the inability of far too many security folks to recognize operational realities.

Since I’m trying to be better about linking to major articles, here’s an excerpt:

There’s been a lot of hand-wringing in the security community lately. Complaints about compliance, vendors and the industry, or the general short-sightedness of those we work for who define our programs based on the media and audit results. Now we whine about developers ignoring us, executives mandating support for iPads we can’t control (while we still use the patently-insecureable Windows XP) executives who don’t always agree with our priorities, or bad guys coming after us personally.

We’re despondent over endless audit and assessment cycles, FUD, checklists, and half-baked products sold for fully-baked prices; with sales guys targeting our bosses to circumvent our veto.

My response? Get over it. These are the table stakes folks, and if you aren’t up for the game here’s a dollar for the slot machines.

No Related Posts

In a strange way, I expect people in our field to complain and whine. In fact, it can be quite the cathartic experience. I would even say you’re not quite into a good security mindset/situation until you’re up on the balance board of the game; winning some battles but also feeling the pushback and uphill fights; knowing enough to know no one *does* enough and very few things are secure and very few orgs do much. Untapped analogy: lumberjack games logrolling competitions…only your adversary(ies) is invisible and the game never stops and you won’t ever win… 

But there is a line that many do cross where the whine is taken internally and deeply…far more deeply than is healthy. And repeated. Over and over. And it truly defeats them and burns them out. And it simply does not lead to any changed action. That’s not good.

Good article, btw. :)

By LonerVamp

Responding to both of you,

Yep. Business as usual. But I do think we have much higher visibility than before, and thus while the fundamental nature of the game hasn’t changed, the details have.

Plus there are a lot of newer people just hitting their burnout time :)

By Rich


‘Twas ever thus, huh?

Seriously, what’s honestly changed? It’s always been like this in the security game.

Execs have always wanted the latest toys and we have always worried about securing them. We had this problem with iPaq’s and Palm devices in ‘02. iPads and iPhones et al are just different flavours of the same problem. People even more long in the tooth than me will remember earlier flavours of such devices.

And developers have always ignored us by and large. I remember delivering an overview on web application security issues back in ‘04 to a room full of sceptic developers as part of kicking off a secure coding programme in an organisation I used to work for. They found the whole thing vaguely amusing and not much changed though some might argue that this was the ineffectiveness of the programme and a lack of senior management mandate for what we were trying to do as much as developers being cynical - but I digress…

Vendors have always promised the earth and delivered little… that’s marketing for you (sorry, Mike!)

And compliance? We’ve been chasing that dream forever, jumping through whatever compliance hoop gets mandated next in the hope that it can score us a few extra dollars of credit for the security programme with the boss….

From where I’m standing, it’s BAU in terms of security….

By somebloke

@ Rich : Actually it is my fault, because I sometimes comment on blog posts you wrote a year or two after the fact.

I admit that I am guilty of personal attacks, but like jericho at, I only do so when it’s artistic, sarcastic, and/or funny. Of course, beauty is in the eye of the beholder and some people miss things irony, sarcasm, and “jab in the ribs” humor when it’s done over the Internet. My apologies to those ever offended.

By Andre Gironda

I’m calling bullshit :)

I have never filtered any of your comments, and our policy is to only filter personal attacks (which you’ve done, but never here on the site, and nothing recent).

If something slipped through, it’s because it really slipped. I actually accidentally closed this one before opening it due to clicking through the UI too fast, so I’m sure it happens.

I’m sort of hoping we can do something to get rid of moderation again at some point. It annoys me to no end that we need it.

By Rich

More like no one approves blog comments anymore since blogspam took over!

The thing I love most about the industry is the personal attacks against each other, and the silencing of voices. For example, Jeremiah Grossman will always have Google administrators delete my Blogger comments to his blog. Even on Securosis, who claims neutrality and openness, I have seen one too many of my comments “slip through the cracks”.

By Andre Gironda

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.