Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I'm obsessed with not only questioning everything, but also asking the right questions. It's actually a rather annoying knack that's emerged from growing up in an academic environment, where questioning and debating are ways of life. When other kids were playing Nintendo, I was watching the "Mysteries of the Unknown" video series, solving fun Math and Logic puzzles. For my career in information security, this has long been my mantra; namely, question everything, and make sure to ask the right (often hard) questions.
To that end, I've been pleased to read over the past week that several big names in the industry are beginning to realize that we've been asking the wrong questions, taking the wrong approach, and generally being dumb (one could argue that this is an artifact of modern society, but I digress...). Specifically, Purdue University's Spaf, Securosis' Rich Mogull, and Rational Security's Christofer Hoff have made the following posts:
- CERIAS Weblogs » Solving some of the Wrong Problems by Dr. Gene Spafford
- An Optimistically Fatalistic View Of The Futility Of Security by Rich Mogull (Securosis)
- Information Security: Deader Than a Door Nail. Information Survivability's My Game. by Christofer Hoff
What I get from these posts, really, is a reinforcement - and, frankly, validation - for my long-held beliefs. InfoSec has not been a technology issue for a very long time. It's a business and alignment problem that is simply not being addressed by the business. Part of this is due to a lack of buy-in and understanding, but this is also largely due to laziness and sloppiness misconstrued as cost savings. And, as much as I hate to say it, until organizations become financially motivated to the right thing, we will continue to see utter excrement excreted.
Beyond the technology focus of these posts, I'd also like to point to the continued confusion and divisiveness in the security management / governance space. Companies want a solid approach to information security, but they don't know what to choose. Part of this confusion has been caused (perhaps intentionally) by organizations like ISACA/ITGI and their associated Big N audit sponsors. These groups have developed frameworks (e.g., CObIT) and then strongly encouraged (if not strong-armed) their customers to change how they operate to adapt this new approach. The problem with a framework like CObIT, of course, is that it wasn't developed to help the businesses who are customers of the auditors; instead, they were developed to help the auditors reduce their overall costs in conduct public audits on an annual basis in order to optimize the profitability of these engagements. Oh, sure, they said it was for the customers' benefit, and they pointed at SOX and made up the concept of "IT Governance," but if you look closely, you'll see the truth.
Other frameworks suffer similar compatibility issues, though perhaps not from as much of a divisive, self-serving perspective as the one just mentioned. In fact, this area was the subject of my Masters Thesis, within which I look at a large number of infosec-related "methods" and conclude that there is one major flaw: no model to rule them all. You can read the thesis for full details, but in short, my approach was to classify methods as being models, frameworks, or methodologies, which are listed here in decreasing level of abstractness and increasingly level of concreteness and detailedness. The conclusion was that no model existed that could cover all of Enterprise Risk Management, Operational Security, and Audit Management. There were lots of frameworks and methodologies that fit within each of these competency areas, but none that pulled them all together.
To that end, I created a model, called the Total Enterprise Assurance Management, or TEAM, model, that was designed to all a best-practice approach within each competency area while pulling them all together in a coordinated and efficient life-cycle approach. Read the thesis for the full skinny. :)
Anyway... the point of my side-bar here is this: quit accepting what people with vested interest in selling you their solution/product are saying and, instead, focus on your needs (this could be applied to organizations and individuals alike). Ask the hard questions. Strive to attack the core problems, rather than wasting time and money on the symptoms. The only time it makes sense to attack the symptoms is in triage situations where the hemorrhaging is so bad that it requires immediate treatment. But question that, too. Do you really need to jump into triage mode, or is the situation not actually that bad, allowing you to come up with the right solution so that you can do the right thing?
Now, obviously, this is not to say that you should spend weeks or months debating whether or not triage is appropriate. I would hope that it would be obvious. At any rate, once you get past the initial steps, you need to identify and attack the core issues. If you're having trouble managing accounts, begin an analysis of identity and access management solutions instead of cobbling something together in-house using scripts and expensive person hours. If you're not getting a good read on network and security performance, then get monitoring and measurement tools and practices in place, preferably building on log management platforms, dashboards or balanced scorecards, information integration systems, and so on.
The point is, be smart, be thorough, and to the right thing by analyzing your needs and finding a solution that meets them. If the right solution means reinventing some of your processes and practices, then fine, cool, get it done. But don't just start with an arbitrary tool that seems cool and expect it to be the silver bullet solution, if only you change everything you're doing.
"To raise new questions, new possibilities, to regard old problems from a new angle, requires creative imagination and marks real advance in science."
- Albert Einstein