This week's invited guest post is from Nick Selby, a security convergence consultant and enterprise security thought leader who established and led The 451 Group's Enterprise Security Practice from 2005-2009.  [Ed: This post was provided shortly prior to Black Hat/Defcon]

Nick Selby
Founder, Cambridge Infosec Associates, Inc
 
A recent survey shows that half of information security professionals are unhappy in their jobs despite six-figure salaries. Of course they're unsatisfied - we have well-trained, well-intentioned security professionals reduced through a series of relentless box-ticking to ensuring that their hopelessly dated signature-based technologies have the most recently-updated chance of not stopping anything. Why? Because as punishment for making everything so complicated, security professionals have been saddled with compliance management.
 
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
 
I stomped away from trying to influence security as an analyst because compliance (the adjective and the verb and the noun ... and whatever form is the word, 'Compliancy') has managed to suck every ounce of oxygen from the room that is the security industry. Okay, that's an exaggeration - I really quit because I find it more rewarding to once again do security than to talk about doing security.
 
We're in an Orwellian information technology universe, and we've let criminals become Big Brother because they often have better configuration management data than our own information security groups. We have a rapidly evolving threat landscape, advanced persistent threats, new generations of attacks and attackers and a wildly changed attack paradigm, and purveyors of “intrusion detection” and "anti virus" don't just exist, they're propped up as puppet regimes by the makers of rulesets designed to keep us “safe” and “smart.”
 
Josh Corman at IBM was spot-on when he called PCI, the, “Cyber-incarnation of 'No Child Left Behind.'” At this writing it's unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we're heard of, but the fact that they're out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard. Well-intentioned businesspeople at PCI, seeing their money walk out the door at an exponentially increasing rate, thought they'd, "Raise the bar" by setting forth some highly specific tasks. Unfortunately they were specific to a paradigm gone by, and those who don't comply get their credit card privileges popped. Thus have they managed not only to not raise the bar but in fact to substantially lower the ceiling - PCI is not the minimum standard, it's the maximum effort that many organizations make.
 
And why not? By doing PCI, one can claim to be doing, 'Best practices'. ('Best Practices' is a term for which toilet-dunks should be applied rigorously -  the term is, to borrow a phrase from Marcus Ranum, weapons-grade marketing bullshit.)  Meanwhile, Visa and MasterCard stay shtum on their card fraud numbers in one of the best shell games around as banks and card associations play the Three Wise Monkeys, passing the buck back and forth amongst their cabal while storm clouds of another off-balance-sheet Armageddon gather in the distance.
 
Is this just another "anti-compliance" rant? Sure, but it's also a "pro-risk rant". It's not just that our lives as security professionals are increasingly (and increasingly exclusively) about feeding the compliance beast. It's more about the fact that all this compliance stuff is preventing us from addressing risk and performing, you know, security. Compliance is big money (there are more than 100 sponsored links on Google for the phrase, “Security compliance”), so vendors and analysts push it, and departmental budgetary politics becomes all about securing compliance-related funding. This directly leads to stovepipes - those "Cylinders of Excellence" in which the slightest thought about anything not budgeted becomes, "out-of-scope".
 
Now hear this: Our enemies do not compartmentalize their attack resources. They don't have a budgetary or organizational constraint against standing in the smoking area and walking in to your building behind a smoker who's taped open the ram-bar latch; or phishing credentials from one of your employees by phone, fax or email; or popping through a poorly constructed web application; or if the stakes are really high, having someone sit in front of your Vice President of Whatever's house, looping trivially through his WEP-"protected" WiFi and surfing into your network on his VPN connection. Let's not even talk about his cell phone.  How many stovepipes within your organization have those utterly commonplace vectors just crossed?
 
To deal with these threats we don't need more stuff, we need to talk to one another, to use the resources we have in place already in smarter and better ways. Communication, cooperation and a top-down emphasis on understanding risk - these are things that can't come from the comet tail of crap being pushed by vendors and consultants today.  We face a 360-degree threat, every day, and bad guys are as innovative and resourceful as they need to be to stay one step ahead of you. The problem is we're not making them need to be very resourceful at all.
 
Compliance - the state of being - is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes by Oblomovs you've hired to "deal with" compliance. Security requires integrity, inter-departmental communication, articulation of goals and give-and-take between stakeholders so that everyone has more information to take into account when making business decisions. It requires coordination between physical and logical, between departments as seemingly disparate as HR and marketing and bizdev and sales, and the executives who make decisions about where they want their firm to go.
 
You want to be a CEO? Manage risk by demanding your people give you information supportive of cost-benefit analyses that are based on how you can create more value as opposed to how you can avoid being fined or having your name in the paper. You want your compliance department to manage risk for you? You'd better hope your firm is considered, “Too big to fail,” so the next round of government bailouts can save your sorry butt. Although, since you're allowing the government - through SOX and HIPAA - and other industries like the payment folks to set your agenda, maybe a bailout was what you had in mind from the start.