fudsec.com

Josh, you may be right, but you don't actually say anything concrete about what we're supposed to evolve INTO, what we're supposed to do DIFFERENTLY. You don't even go so far as to say we should get rid of our firewalls and AV. Dude, it's easy to slam the rest of us for not having courage, but I don't see you charting a visible course either -- at least, not in this blog posting.

I believe what Josh is advocating is what many of us have been striving (to use a tired platitude) towards for years. We as an industry can either be satisfied with the status quo (and as such content with forfeiting our rights to be out raged by the actions of those with nefarious intent or short sighted business sense) or choose to adapt, overcome and reinvigorate ourselves, our peers, our employers. our clients and in doing so, refuse to forfeit ourselves and our convictions, our profession and craft in addition to our professional obligations. In effect, this is a matter of nulla iactura nulla gloria; if there is no sacrifice, there is no glory. So what does this mean?

This is a significant opportunity to discuss (with our collective and individual egos tabled), what matters most to us as information security and risk management professionals: the safe guarding of what matters most to us via traditional and visionary thought with the final goal being the minimization of risk and preservation of what we hold dear professionally and personally. Information security professionals in my opinion have an obligation; a duty, to do so. This is in many respects no different from the responsibilities and obligations that doctors, attorneys, law enforcement agents and teachers have; an obligation to the greater good in which the first rule should be to do no harm.

Many different paths, with all roads leading to our idealistic “Rome”, can be explored yet our mission remains the same. Our responsibility at a high level is to demonstrate and articulate with conviction, and fact as our tools, the relevance and importance of what we do to those who have been tasked with fiduciary and stewardship mantles bestowed upon them (e.g. C-level executives, boards, advisers, stakeholders, shareholders, political bodies and leaders etc.), in addition to our peers, communities and industry as a whole.

I believe Josh's point is important and warrants time to grow and evolve in its own right as well as healthy, collaborative discussion. This is an opportunity to engage one another while positing ideas, concepts and potential paths to be take or blazed. It is an opportunity to re-frame our points of view while communicating honestly about the state of our industry.

All the best,

Will Gragido
www.cassandrasecurity.com

I think the point is we need to start brainstorming on where to go from here. @shrdlu, it's easy to slam @joshcorman for not having concrete solutions to the problem when you don't make any suggestions of where to go based on his piece.

I kid, I kid

But I've been shouting into the wind this year and talking with some folks at BeanSec on how to become more of a business risk adviser and asset to the company than a bedraggled cost-center for IT. I caveat this with the fact that my knowledge comes from observing my research clients - not being an active practitioner.

Part of becoming a risk adviser is to get an idea of what are critical business assets inside the organization and see "value" from the business unit owners point of view. That can be done as part of a Business Continuity Plan (which may already be done and somewhere around the organization) or a Risk Assessment where you're working with the business owner rather than perceived as a threat to them and their ability to do their job.

Just ask them what 3 things if they were to get lost with no backups or stolen would make their ability to get work done to be impossible or cause them to lose their jobs and voila - critical business asset for that unit.

I think there needs to be more proactive thinking from that perspective than the constant minimum security needed to be in compliance lest organizations never have the ability to truly tackle enterprise-wide data classification, role-based access control and enterprise rights management to protect their customer data from loss and intellectual property from theft.

It is healthy to examine all things and question everything. In our industry, often this is discouraged and viewed as being negative. I see it as both positive and of paramount importance; I believe this passionately. One area I might suggest based on my now 16 years in the information security industry (public and private sectors), is doing away with the notion that compliance = security. I am not suggesting it is a bad thing to be compliant with governance standards and regulations (especially those that have the ability to negatively affect an organization's ability to generate revenue and report a profit).

However I believe that a soundly architected risk based security program, complete with business unit awareness, operational concerns, clearly identified roles & responsibilities, processes, procedures, policies and controls is a phenomenal place to begin. Inspect what you expect. Over the years, I have had the privilege of working with some of the finest and, arguably, largest corporations in the world in consultative roles. If experience has taught me one thing, it is this: when well informed and empowered with the ability to speak clearly, articulating the value of information security risk management to business leaders and stakeholders change can occur. It’s an amazingly powerful thing to witness and satisfying feeling when one is able to accomplish a change in perception and thought.

I think that even though risk based methods are solid and need to be considered, they are not what will spark the catalyst Josh is speaking to. Certainly can be the end product but that spark, that evolution needs to happen at a much different level for the individual as well as the collective.

BK, I'll tell you where to go ... just kidding, bro. ;-)

Should we question everything? Sure. Reinvent ourselves? Sounds good. Justify our existence to management? I'm all for it. But that's where the conversation almost always stops.

One of the closest things I've seen to a concrete suggestion came from Andy Jaquith: in one of his analyst pieces he recommended aggressively giving the responsibility and control back to the business. Not evolving -- DEvolving. That was breathtaking enough that I couldn't decide for a long time whether I agreed with it or not. Set up a tool and let HR run it? Completely? Make someone in R&D manage the ACLs for access to their files? It sounds on the surface like crazy talk -- so I'm thinking that's where we ought to head. Maybe we OUGHT to be giving up all our power and control, not clinging to it in the form of ever-fancier DLP-IAM-GRC-LMNOP appliances.

What if they gave a cyberwar and nobody came?

shrdlu, you *know* I have many thoughts on how we might evolve. I'll bet you've got some excellent ones too.

a) I want us to agree we need to evolve
b) I want us each to be personally engaged and thinking about what "evolving" might look like
c) I do *not* believe there is ONE right answer - and that supplying mine (in a broadcast) is less inclusive
d) I am hopeful that discussion and critical thinking will reveal numerous options from some very smart people
e) I will be blogging soon about some of my ideas/alternatives and [hopefully] drawing from a plethora of great ideas from you and others who respond to this post.

The status quo is not going to cut it.
I believe some of us are very capable of leading change and evolution.
The only bad idea - is *no idea*.

Josh, I await your ideas with bated breath. ;-) Seriously, though, I wish you'd stop being so "inclusive" and just come out with 'em. There's a lot of chatter out there about how we "need to change" and the only adage I keep hearing is "we need to communicate better with the business." Well, duh.

One way to elicit ideas is truly just to come out with your own. There will be plenty of people who say, "No, no, it should be THIS way," and some of those ideas will be good ones. Some people don't get inspired until they see what they don't agree with.

If you wait for everyone to be on board, we'll never get launched.

Fondly,
Gilligan

I believe to begin with there needs to be a code similar to that of the Samurai; the Code of Bushido. See my post: http://cassandrasecurity.com/?p=418

I further believe that one of the greatest threats to our craft is the lack of ability on the part of practitioners to articulate those elements which do influence change (from the bits to the board room), in an eloquent, simple manner. I'm not suggesting that every practitioner should be (nor try to), develop expertise in all aspects of infosyssec; specializations, in my opinion are terribly important. I really believe however we need to begin by asking ourselves why we do what do (aside from a pay check). What are our motives? What led us here to begin with? and why do we stay? In answering those questions perhaps we can begin to properly usher in the change we've been waiting for. I know why I am here and do what I do, but what about you?

I see where you're trying to go here, but I'm not quite with you.

First, the OODA loop can easily turn into the usual Hamster Wheel of Pain as Jaquith mentions in his book Security Metrics: Replacing Fear, Uncertainty, and Doubt. If you shared the link entitled On Sheep, Wolves, and Sheepdogs with non-insiders, I believe most people would find it offensive. People don't like being called a sheep because they don't understand the dizzying details and byzantine process and pitfalls of our industry that is largely driven by irrationality. I also don't really find it directly relevant or constructive in a complexity and technology risk management discussion, though it is if someone objected to carrying a gun in church.

After talking with Mr Gragido, him bring up this blog entry, my saying that I had read it already, and his encouraging me to join the conversation, I find myself ready to talk about some of the same talking points that I've been bringing up for the last couple of years:
* relevance
* metrics
* unjustifiable complexity
* over-specialization
* mental inflexibility

First, most of what everyone in the industry speaks about is entirely irrelevant to business. Completely. If the information security profession wants to be taken seriously, they need to be relevant and speak in terms that the business will understand. Everything else I bring up is in line with this first point.

Second, almost nothing is measurable. There are many workflows, scorecards, risk valuations, and frameworks, but nearly all of the time, they are not put in terms that the consumers of risk information find relevant. Metrics need to be automated (cheap to gather) and meaningful.
- Measuring if past implementations have been effective or if the ROI was achieved after the unforeseen operational costs. Basing decisions on rich data case study would be great and also nearly completely unavailable.
- No information sharing between consumers anywhere. There is no Consumer Reports for enterprise technology. Every vendor or analyst has their hand out and it significantly colors their recommendation findings IMHO. Enterprise doesn't share the data that matters.
- A vulnerability scanner provides what is the worst kind of metric; one that isn't meaningful to anyone. The risk practitioner knows that it is only a faction of appreciable risk, a non-practitioner looking at a scorecard may draw unjustified conclusions based on the score delta, etc.

Third, with all this talk about cloud computing, people seem to be forgetting that cloud computing is not anything new. It's distributed computing bundled with an API and given a fluffy concept to be marketed. This is not helping anything. If we as an industry are going to add a bunch of additional layers to the old conceptual model, we do not need to evolve, we need to optimize. I've asked around. Almost no one knows what we do. We're the gnomes that fix their shoes at night and lead people to believe that their shoes fix themselves. If we're going to accept giant expansion of the threat landscape in accepting massively insecure Web 2.0 applications and, at the same time, accept outsourcing all of our data to complex distributed systems where it intermingles with everyone elses data in a way that people throw up their hands, as it is too complex, and declares "it is in the cloud," someone needs to appreciate that they are making this risk decision. It is our responsibility to communicate this. No one else will do it.

Fourth, people have become way too specialized to the point of not understanding what their actions have on other teams. It may be the case that literacy in many areas of our practice is hard. As complexity increases, the amount of people who will be up for it will decrease. The dispassionate that only came for a day job that pays a lot of money will not care enough to do what it takes to get their hands around it. We need to be clear that this complexity we're developing to accelerate the Peter Principal of technology and technology-dependant business management. I find it interesting that Technological Management is a stub here, though I am not surprised. We need to work toward a middle ground so that communication can happen on a level playing field. ASVS may help us to do this.

Fifth, and finally, best laid plans need to be right-sized on the ground. A mechanic's touch needs to be worked into human resource valuation. Flexibility and agile organization has to be valued more than the ability for bad managers to find someone else to blame for the systematic problems that they have had a part in creating. Complacency is too widespread. Complacent organizations are driven by the minimum standards of compliance. Leaders do not talk much about compliance as it is way in their review mirror.

If we as risk managers can not put risk in terms that the decision makers and shareholders can understand without calling them sheep or cattle, then we are not worth anything. If we can't make the argument inside of the technology discussion, what chance do we have translating that to those who do not have an interest in technology?

Joshua--I have to concur with shrdlu. You are right. We are losing. Our current strategies are failing and we need to get creative. Posts like this pose a problem and offer no suggestions for a solution. I have seen posts from many really smart IT security thought leaders like you with the same theme--we are losing and we have to change.

So what changes do you think will hold the greatest promise. What concrete suggestions can you pose to the community?

Here is what I propose as a viable new strategy: transparency.

Right now, individual companies are chosing to fight the battle alone. There is little openness due to legal, political, and reputational barriers. The bad guys don't have this problem. They openly share strategy, successes and failures. They cooperate while their targets continue to isolate themselves for fear of "looking bad". It seems that companies fear "looking bad" more than "being ineffective". The recent Heartland breach and the company's response to it seems to be a sign of changing times. Heartland is spearheading efforts to get companies to share information and adopt standards--band together instead of fightging the enemy alone. Once companies start to cooperate, all sorts of new strategies become possible...including my favorite: quantitative analysis of empirical data across companies, supply chains, markets, and security strategies. Measure, SHARE, analyze, and improve.

gorrie touched on this in this post. I am wondering what others think about transparency as well as other strategies.

Transparency is an interesting idea however it would only work to a degree. Businesses require; no mandate, a certain amount of discretion with respect to their privacy just as individuals do. To suggest otherwise is simply irresponsible and unproductive. With respect to metrics; that is nothing new. Quantitative and qualitative analysis (as Ian will agree with me as he's seen and heard me preach to clients in the past), are relevant and meaningful only when presented in concert with one another. Why? Due to the environmental dependencies which make each environment unique in addition to contextual relevance.

Heartland doesn't count as far as I'm concerned and in many respects is not worthy of being used as a proper example. Why? Because their failures came from a fundamental lack of solidly architected and executed risk management based program directives. I feel passionately that had they had a truly sound holistically designed program complete with a framework that addressed their business risk in addition to the risks faced by their business units, operational security requirements in addition to governance concerns they may not have suffered the way they did. Or, perhaps they would have as vigilance is required in both administration and operational management. They are post child for all things wrong with the idea that suggests that being compliant equates to being secure.

Great post, Josh, and very good discussion from wgragido, ean, and gorrie.

Regarding what InfoSec people and CISOs should do differently to evolve/change/adapt more effectively, we could start by including some "meta-metrics" for organization learning, agility, etc.

I gave a presentation at Metricon a few years ago on this topic: ""Security Meta Metrics – Measuring Agility, Learning, and Unintended Consequences" http://meritology.com/resources/Security%20Meta%20Metrics.ppt . It includes some specific ideas for such metrics, but really almost any metric will be better than the willful ignorance that most organizations have today.

I have to respond to wgragido...

I will be brief.

I take exception to the notion that suggesting transparency as part of the solution is irresponsible and unproductive. Medical research is a great example of a discipline in which a balance has been struck between the needs of individual privacy and research. Is it irresponsible to suggest that IT Security's transparency issues are no more intractable than those of medical research? Is it unproductive to try to leverage the progress of a more mature science such as health care?

If your point is that quantitative analysis must have context, then you too are saying nothing new.

As for Heartland: you seem to say that they don't count because they had an inadequate risk management program in place. What's adequate?

Josh -

I agree wholeheartedly that we need to consider evolution and that our profession is reticent to do so. Compliance slows things down even more. We have plenty of opportunities for re-architecting security as the components are already there. Consider taking deperimeterization to its logical conclusion. Or integrating obfuscation, transformation, tracers, and tethers into an architecture.

I wrote a column for ISSA Journal a while back with some ideas for security evolution:

1. Conscientious software
2. Remote attestation
3. Microsecurity
4. Contextual mapping
5. Hyperdynamic processing

(see http://spiresecurity.com/?p=208 for more information).

The cool thing is that this is about evolution and not revolution - the roots of capabilities like trusted computing, for example, are well-defined and simply need to be applied to today's architectures.

I think virtualization and cloud computing have really exposed internal computing components in ways that make evolution discussions very timely.

Fingers crossed,

Pete

Just throwing out another idea here: what if the answer is NOT to get even more wonky and detail-oriented? What if our natural tendency to over-complicate things (especially those INTJs out there; you know who you are) is leading to the business side's collective eyes glazing over and preventing security from getting better? Is our goal to do even more of what we've already been doing, with more metrics and lawsuits? Or is it to build security in to the point where it's both automatic and invisible?

Transparency doesn't have to mean exposing details; it can mean exposing enough key points to let everyone understand. ean's point is a good one, although now I keep envisioning a lecturer starting a presentation with, "Elderly financial institution, 120 years old, presented with pain in the perimeter region ..."

Crom!

It is commentary like these that makes a barbarian want to smite!

Elizabeth A. Nichols, Ph.D. Don't you have some metric subscriptions to sell? Are these political debate fallacies really necessary here? What is good, she asks! Transparency is impossible, she says! Why do you hate our medical research! Do they teach constructive conversation in post-doc?

Peter Lindstrom: Do you really have to pull a Gadi in trying to make up lame names to describe things that already have them? Going out of your way to manufacture complexity isn't going to bring anything tasty to the table.

Perhaps we need to publish this conversation in the irrelevant ISSA journal. How about 2600 Quarterly? Even better. It can fill the pages between Hacking Wal-Mart and Social Engineering McDonalds.

Are extreme examples used to debunk arguments required here? Does everyone contributing here need to try to sound fancy? This isn't a broadsword measuring contest. If it was, YOU WOULD ALL LOSE TO ME.

If we're going to talk out of our asses, let us agree to at least use a barbarian name and try to avoid hyping up some weak sales play. Some evolving professional maturity, perhaps.

See you on FD,

Conan

@ean let's not forget what this post is about; sponsoring a change in thought which affords all interested parties the opportunity to (as my good friend Will Irace would say), differ honestly. I'd go as far as to say we need to remain both professional and intellectually honest as well. In doing so, we preserve the integrity and spirit of the debate while avoiding disparaging remarks and hostile tones.

Allow me to address your comments directed towards me and then for the sake of this thread I'll contribute other ideas of a less personal nature:

If you're going to quote me, do so in detail and accurately so as to avoid creative editing; it is polite and professional after all. I suggested that transparency is an interesting idea (as I believe it is), however I believe that its effectiveness may be limited due to the needs of businesses (e.g. organizations in the business of turning a profit and reporting revenue not non-for profit research entities such as those seen within academia). I believe candidly, that to suggest complete transparency is folly and yes, I would go so far as to say that no C level executive tasked with stewardship of his or her enterprise (much less with the responsibility of reporting to shareholders and a board of directors), would encourage such transparency. To do so would invite peril and distress and could very well introduce more risk than it mitigates. Mitigation is, after all, why we do what we do.

I agree with your example on the balance struck in medical research however one needs to specify whether not one is referring to the world of academic research or the world of for profit bio-medical research. My assertion is that though there may be transparency it is present to a degree and the full disclosure would not be (nor is it), pragmatic or endorsed within all environments. Never did I suggest that it was unproductive to look at alternate models or industries from which to glean ideas. At the same time neither did you :) Furthermore, I suggested that quantitative analysis predicated on context in conjunction with qualitative analysis is the key; I didn't invent the lock I just know how to open it.

Additionally, I'm not sure what your experiences have been in consultancy work (and that wasn't meant as a pejorative comment I just don't know enough about you or your work :), but I take issue with the insinuation that there has not been collaboration amongst industry leadership in the past to discuss these ideas and challenges when in fact there has and continues to be. The caveat being that there is no full disclosure or true transparency within those meetings without the presence of a great deal of legal documentation protecting and threatening all parties should they violate the terms of disclosure.

With respect to Heartland, I stand by my assertion. I feel their failures came as the result of a lack of due diligence and vigilance with regards to their program. A properly architected security program, endorsed, ratified and instilled within the framework of an enterprise organization is powerful and, when properly shepherded, nearly (I say nearly because we live in an imperfect world and must deal with margin of error etc.), impossible to undermine provided the due diligence and heavy lifting has been done well in advance. So what does that look like? I can't speak for Heartland as I never worked with them in a Risk Management or assessor capacity but I have worked with several Fortune 500 to 50 financials in the past and it begins with the identification and valuation of assets (tangible and intangible), after one properly comprehends the tenets and nature of the business. From there on in, things can a number of ways (we can discuss off line should you desire), but a short list might include:

- Asset Identification & valuation
- Business Impact Analysis
- Risk Assessment
- -Traditional quantitative analysis modeling
- -Traditional qualitative analysis modeling
- - Non-traditional methods
- Exhaustive interviewing and assembly of detail pertaining to the units which compose the business and the stake holders within said units
- real time assessment of organizational risk posture
- Security Program Development:
- Framework build out predicated on information gathered and introduced by the consultants
- Framework roll out

Heartlands' sin was that they (or someone within its confines), made the conscious decision to equate compliance with being secure. This, I suspect was hardly done in a vacuum nor is it unique to them. Bear in mind, I'm not indicting individuals but the problem. Rather than focusing on ensuring that risk mitigation was achieved and approached as though it were a living, breathing entity whose contribution to the business was of paramount importance a decision was made to meet an arbitrary criteria set down from on high (PCI DSS council I'm looking at you) which, at best, is interpreted differently by every auditor / assessor conducting those audits today. My desire is to eradicate these types of events and thusly prevent suffering such as this again in the future.

@Shrdlu good points. I love the premise of KISS. I feel though that in order to keep it simple for those not necessarily in the need of being in the know; we need to first and foremost be ready to address these matters in from the bits to the board room. Call it a call to arms; a belief system; a passion. I agree with you and ean transparency I just worry that unless we encourage these lively conversations and debates (as professionals and friends :), we will be doomed to repeat our mistakes. I personally believe that (and yes I realize its not new), that risk management is key. It's not as both Bruce and Marcus asserted intangible and too difficult to achieve. I believe that is intellectually dishonest and sadly, lazy.

Conan, I've never watched your show but now I'm going to start tuning in. That was awesome.

Do you want to be secure forever?

wgragido--
Thank your for your post :-) Very thoughtful and clarifying.

On transparency, It appears that we can agree that it is certainly not the entire solution. I think we may also agree that any trend toward increased data sharing will likely occur in an evolutionary manner--per the theme of this thread.

Here is a concrete example. I have been investigating the question:

How does an IT security breach affect the stock price of a public company?

I know about two relevant data sources: 1) stock price data which is easy to obtain and 2) the DataLossDB which is a database that compiles breaches that fall within the scope of state disclosure laws. Understandably, the information that companies disclose meets the minimal requirements of applicable state laws. The result is that key information that would enhance analysis is not available. The analogy that comes to mind from other disciplines is the treatment of accident data by NTSB. The level of detail collected and disseminated by NTSB is leveraged by all segments of the transportation supply chain to improve how key components are built, maintained, and operated. It's an industry-wide feed-back loop. Everyone has equal access to hard facts and data that helps to reduce (not eliminate) incidents.

My emphasis on transparency is derived from personal ambitions to provide hard quantitative analysis of IT security for both fun and profit. The web site to which my name is linked presents open and free quantitative analysis as well as a for-profit platform called MetricsCenter for security metrics.

With respect to Heartland, I appreciate and respect your statements in the last post. I mentioned Heartland because I had just attended a presentation by their CEO which was refreshingly open, candid, and emphasized the need for additional cooperation amongst all players in our industry. They learned the hard way the difference between compliance and security.

The more I contemplate this post, the more I think that five fronts Josh presents (threats, compliance, economics, business needs, and technology) may be more important than the concept of evolution itself. Perhaps the reason that information security needs to evolve in the first place is because we've collectively failed to optimize for all five fronts. The first step in any improvement process is admitting you have a problem, and I propose that statement needs to start with the fact that many security programs haven’t taken into account all fronts and instead have optimized for only one or two.

We can complain that compliance has become more important than threats ("security"), but Josh correctly points out that economic factors (often beyond our control), business needs (which security risk management should be aligned with and embedded in), and new technologies (which potentially enable new business models or significantly lower costs) are equally important success criteria. For a timely example, most people reading this post can likely name a long list of companies doing cloud or virt blind to the security implications because the economic cost savings from this new technology are too large to ignore.

Evolution needs to be more than saying yes to change—it needs to be an actual understanding how all of the “fronts” identified impact your organization, optimizing information security recommendations for all five, and most importantly, communicating to the rest of the organization the risks related to all five fronts in terms they understand.

djetue is right -- the key words being "the economic cost savings from this new technology are too large to ignore." And since the business often doesn't see risk the same way we do, the answer may not necessarily be to "educate them" to our point of view; the answer may (in many cases) be that we are the ones who have overestimated the risk. (See my fudsec posting on the topic.)

For this reason, I'm grateful to the metrics gatherers who are trying to implement evidence-based risk assessment. Does a stock price really go down after a security breach, or is this just "conventional wisdom"? How much does disclosure really hurt a business in concrete economic terms? And how much does it hurt the (non-DoD) public sector, which has no "customers" to lose?

From the CEO's perspective, the biggest threats are auditors and attorneys; that's why the risk of non-compliance is sometimes the only thing that gets you the C-suite's attention.

http://www.securityfocus.com/brief/1025
ChoicePoint allows data breach, again

Sigh...

Choicepoint falls into the same category as Heartland in my humble opinion...perhaps more so in that they were breached once previously and should've taken the appropriate steps to prevent it from occurring again.

Wow, this was one of the most fun discussions I've read in long time...

Somehow I missed this when you first posted it.

You present a very good depiction of rising complexity for the business. However, despite the interesting comments, someone else will be writing the same thing next year, and the year after that too probably.

The reason why, is that no amount of moving the furniture around is going to produce the magic pixie dust that suddenly makes a broken security model work. So are you after evolution or innovation?

Guy Kawasaki wrote in his "art of innovation" spiel for security that "no one on the first curve will be able to comprehend, let alone embrace the second curve".

Would anyone on the first curve even recognize innovation even if it fell on their heads?

How can anyone on the first curve be innovative, since one always resorts to what one knows?

Can evolution of security practice without innovation make a difference? How much would real innovation change the risk model, economic incentives, ROI, compliance, etc., and lead to natural evolution of security practice in parallel?