I had the opportunity to get away over the Memorial Day weekend. We drove out to the beach and did generally non-technical things for a few days and, I have to say, it was rather nice. Now, I'm not generally a beach person. I don't like the smell of the ocean, nor do I like the pervasive mess that is sand, but I do enjoy spending time away with the family. Even more, I enjoy not working for a few days, including getting away from this industry, which has become so acrimonious of late.
There's an interesting phenomenon at the "shore" (as some call it out here), and that's what I call "beach food." In the real world, few of us would generally consider eating much of what is served as "food" in restaurants at the beach. Yelp reviews atoll the greatness of sandwich shops or fried seafood eateries, all of which are grossly overpriced (I'll come back to this point in a minute), but in general, well, it's really all pretty awful. There is the occasional exception (like the kabob shop we found a couple years ago), but for the most part, the food is just plain sub-par.
Now, there's a couple reasons for the "beach food" phenomenon. First, you're generally looking at seasonal workers being paid very little to come in, cook some food, and then play beach bums the rest of the time. Hi quality food preparation is not really their prime motive. Second, these eateries, on average, are only open and profitable for about 4 months out of the year. The kabob place, for example, opened on May 5th, and will close again in September after Labor Day weekend and the start of school. Yet, they've been in the same location for a few years now, suggesting that they're paying rent year-round. As such, this second factor of a limited season results in 2 key attributes: lower quality of products (cheap!) and higher prices.
Once you gain this perspective on the "beach food" scene, it becomes quite evident that your normal decision-making processes should be largely bypassed. You cannot apply normal criteria to dining out at the shore. In fact, reverse logic really kicks into play. Instead of looking for high-end establishments with (even more) inflated prices on the assumption that they'll have better food, you should rather look to those establishments that serve standard, commoditized fare that can't be screwed up as easily. In this scenario, sandwich shops and burger joints tend to be better in quality simply because they can get reasonable quality products at a reasonably low price point, which allows them to charge their inflated prices, without overly inflating, and still make out ok. Moreover, because these places tend to be quick stops, they can easily churn through thousands of customers in a day without sacrificing a reputation (and, in fact, it tends to build their reps).
All of this blathering about food (making me hungry) reminds me that we have perhaps lost our perspective in the security industry, too. We've seen dozens of major breaches this year already, and it seems like it's stinging a bit. After all, the security industry itself has been under attack, with major breaches at vaunted stalwarts like RSA and Barracuda. And, yet, what's interesting to me is that we continue to obsess over the breaches themselves, self-flagellating for these historic failures, but without focusing on the right values.
Consider, for example, the differences in the RSA and Sony PSN breaches. In both cases, we've gotten unclear information on what exactly happened. In both cases, it's reasonably clear that the breaches were severe. In both cases, it seems that we're dealing with fairly skilled attackers. However, in the case of RSA, business goes on, even as concerns about the use of compromised token data makes a splash. Contrast that with Sony PSN, which looks like a cyber disaster nearly on-par with the tsunami fallout over the past few months. Both got popped, both have experienced losses, and yet we can say with a reasonable degree of certainty that the long-term harm to RSA should be minimal, while the long-term harm to Sony is TBD and likely to be significant.
How, then, are we to measure their security performance? Both were compromised. Both failed to defend their assets. Should we count these as failures? I think not. Instead, the measure should not be whether or not an organization has a breach, but how well they handle them when they happen. Along those lines, the press should be keying-in on just how pooched the incident response is, and then crucifying the incompetence that it demonstrates. The key measures should be how well the incident was detected, contained, and managed overall.
This brings me to what I think are two imperatives going forward. First, it's now time to implement mandatory breach reporting. I don't just mean those weak breach notices that go out, but actual full-scale reporting to a central clearinghouse (e.g. OSF's datalossdb.org). There should be a mandatory format for these reports (e.g., VERIS) and there should be a mandatory deadline for filing the reports. This requirement is especially important for publicly traded companies. We need to remove all the rumor and innuendo around breaches that artificially impacts financial performance, instead allowing truly incompetent organizations to be appropriately disabused for their performance.
Second, it is time to codify legal defensibility as the standard of measure. Part of this legislation would be finding a way to create standing for parties that doesn't simply hinge on direct financial loss, which would then allow more lawsuits to be filed. As lawsuits build up - both criminal and civil - we would then start being able to provide the ever-evolving framework for determining whether or not organizations have made quality decisions in protecting themselves. Such legislation could serve as a catalyst to start putting actual data and performance behind so-called "best practices" in a meaningful manner. If an organization can reasonably expect attacks, then they must take reasonable measures to protect themselves and limit the impact of a breach. This line of thinking leads fulling into survivability strategy.
All of this serves to alter our perspective... we're overdue for a change of direction...