It's a little after 5am local time and I've been up now for almost 2 hours. No, I'm not suffering from insomnia, nor am I trying to use myself in a sleep deprivation experiment. Rather, the security alarm in the apartment (for which I have no use) has decided to start beeping (rather loudly) about every 30 seconds. I'm sure they gave me directions for the darned thing when we moved in, but that was nearly 3 years ago, and I haven't the foggiest idea where they are.
So, the next logical thing was to call the after-hours maintenance hotline and have the on-call person paged. I say "logical" because the other option that occurred to me ranged between ripping the panel out of the wall to simply cutting the wires.
I called the maintenance hotline and the woman took my info and the nature of the problem and said she'd call maintenance. And then I waited. And waited. And waited. 30 minutes went by and no response. So, I called the hotline again, got the same woman, and she says "I'm sorry, this isn't on our pre-defined list of emergencies." !!!!!!! An alarm, for which I have no remedy, is going off at 3:30am and she won't page the on-call because it's not on her list. To make matters worse, she couldn't be bothered to call me back and tell me this. I had to wait 30 minutes and then call back to find this out. Putting aside the sheer failure in customer service, let's explore the fundamental problem here: inflexibility and a lack of creativity in finding a solution. This minimum wage drone had no motivation to help me.
I find this problem to be common in infosec. It seems that my entire career has been spent banging heads with people who are inflexible and uncreative. As my friend Bob likes to say: "If all you have is a hammer, then every problem looks like a nail." This is remarkably, yet unremarkably, true.
In my case, early this morning, the problem was related to a person who had no vested interest in helping resolve my problem. Despite my expressing a high degree of agitation, culminating in my hanging up on her in frustration, there was really no reason for her to care. To make matters worse, she probably gets this kind of thing on a regular basis. Lack of vested interest, however, is a major obstacle to success when dealing with stakeholders.
Beyond this lack of interest, however, is an even more suspect attribute: inflexibility. How often do people get locked into approaches or solutions or products and then act like there is no alternative? How many companies continue to be Cisco shops when Juniper has less expensive networking equipment? How many security teams/departments trudge on with a reactive, firefighting approach, because that's how they do things?
One of the favorite things that I learned from Engineering Economics in grad school was that history is irrelevant when projecting the future (this isn't completely true, but stick with me). See, when you go to predict future performance, you really only care about what you have right now, and how the market will behave around it. Now, the "not completely true" part is that you do take into consideration prior performance when guesstimating your probabilities. But, let's really consider this concept of history being irrelevant. The best application that I can make of this concept is this: don't be beholden to past decisions just because you made them. Just because buying Product X made all the sense in the world last year does not mean that the same decision makes any sense at all this year.
I've seen this play out directly before. The small ISP I was with in Montana had spent a significant sum of money on a network management platform from a major company. The purchase included bringing in a consultant to get it installed and running. The product had been chosen, not because of its fit to the environment, but because the CTO had worked with it previously. Unfortunately, not only was it way too much for our environment, but our environment was partitioned (or not) in such a way that install of the product was not going to work well, if at all. In fact, after having a consultant on-site for a couple weeks, with him being unable to even get the software to install properly (some issue with a Windows hotfix), they gave up. The CTO didn't know what to do.
My solution was very straightforward: ask for our money back! There were free solutions that would be more than adequate (e.g. Nagios), and I figured we could get such a solution deployed very quickly. As it turns out, I was right. He installed Linux and Nagios and had the whole thing working in less than 2 days. This was a rare case where someone bought into the notion that we should not be beholden to our pasts.
There is, of course, a certain danger in this somewhat cavalier approach; namely, that those who fail to learn from history are doomed to repeat it. The point of my "don't be beholden to the past" mantra is that, if there's anything history can teach us, it's that not all decisions are the right decisions, and that if what seemed right in the past no longer seems right today, then fix it!
The other aspect of my security alarm annoyance this morning is a lack of creativity. If the hotline woman was inflexible, she was even less creative. As it turns out, if my smoke alarm was going off, she also could/would not call maintenance (even if it's the alarm on my 15-foot vaulted ceiling). This got me to wondering: what emergencies do warrant calling maintenance? Unfortunately, this isn't the first time that I've encountered this inflexibility, but it is the first time that it's cost me some sleep.
Creativity is a vital aspect to solving problems, and this morning certain called for it. Again, putting aside the issue of "no vested interest," it's instructive to think about how this problem might have been solved. First and foremost, the hotline woman could have started asking me about problems that were on her "pre-defined list of emergencies" to see if one of those might match my condition. Alternatively, she could have been provided with information on how to disable or resolve the alarm condition. I know for a fact that this condition occurs on a somewhat regular basis because a) it happened to my neighbor while he was on travel, and b) the maintenance guy mentioned it in passing when he last replaced the battery in the vaulted-ceiling smoke detector. As it was, being creative was left to me, as depicted here (unfortunately, too late for me to get back to sleep, but at least I was able to let my wife sleep some more).
In infosec, creativity is also an important quality. As with inflexibility, too often we look at a problem and say "hey, that looks like a nail, let's hit it with a hammer" instead of actually analyzing a situation to see if, in fact, it's something other than a nail. This issue is, in fact endemic of a larger thinking issue: namely, that people often prefer to stay in their comfort zones than to challenge themselves to think differently.
For me, thinking differently is standard operating procedure. In fact, I think so differently that it usually gets me in trouble, because people rarely understand me. And, no matter how amusing it is to see a towel wrapped around an alarm (that, I kid you not, has just stopped sounding), the simple fact is that most people look at that type of creativity and think "weirdo." I like to think of it as clever, but that's a different story for a different day...
The bottom line here is a reminder: when faced with a problem, don't stick strictly by the rules. Determine to have a vested interest in the solution, whether you actually do or not. Policies are guidelines, and it's generally easier to find recompense for a policy violation (assuming no harm) than it is to try and solve a problem within the rules that has not been previously foreseen. Inflexibility for the sake of inflexibility, though perhaps the easiest thing for lazy people, is rarely the right thing. This is doubly important to understand within the infosec context. The business must function if you're to get your paycheck on a regular basis. Failing to be flexible and creatively solve problems could result in a totally different problem for you: lack of cash-flow.
Remember the slogan I learned from the MT National Guard: Sempre Gumbi (always flexible)
(PS: no sooner did I hit submit on this post and the damned thing started beeping again... *sigh*)