“We NEED radical change- the only way we can solve the challenges of securing systems and information is through radical change in the way we… blah, blah, blah”.
What we need, and what many people understand, is to allow reality to participate in our pronouncements. Yes, the state of InfoSec is pretty sad, and many approaches to improving it have sprouted sects which are devolving into bad religions (note that I didn’t say “metrics”, “risk”, or “pentesting”, you thought of those on your own). To be clear, my objection is not with these practices, it is with irrational and often myopic faith in them.
I’ll tell you what we NEED, we need a cure for cancer. Sadly, we aren’t likely to “cure” cancer anytime soon, there are too many different diseases under that label, and too many causes to simply “cure” it. What we are getting, however, is (for many types of cancer) improved treatment, with improved quality of life, and higher survivability. I truly hope that within a few generations people will look back on chemotherapy as we look back on bloodletting today; if that happens, I believe it will be through incremental gains. (Note: do not naively dismiss the occasional value of bloodletting, for some maladies it enforced bed rest when that was what was needed most. For the record, I am not a doctor, and I don’t even play one on Twitter- I am not suggesting a return to it as a mainstream medical treatment). So, bloodletting occasionally helped people recover, when it didn’t make them worse or kill them. Sounds a bit like chemo, doesn’t it?
As for InfoSec: we’re talking packets, not people. Having added a bit of perspective, let’s revisit what we need, and what we might get, in InfoSec.
It would be lovely, like a field of flowers in spring, to make radical changes to infrastructure, code, human behavior, etc. We could all frolic through the greenfield networks, and rest easy with robust code handling our transactions. I’m sure we would make any mistakes in design or implementation this time.
Just watch out for hay fever in this dream world of yours.
I hate to rain on idealists’ parades (OK, you got me, I love it), but while some people do get to implement rapid radical change, remember that some people also get to win huge lotteries. If you are reading this blog, I’ll assume that you, like me, are neither of the above.
Most InfoSec professionals, from the trenches to the executive level, are tied to environments with limited and infrequent opportunities for radical change. We can make things a little better, with the goal of minimizing bad things and gradually improving overall.
Or, if we are brutally honest, we may admit we’re more like sewage plant engineers, and that “stink less tomorrow” is a laudable goal.
But some changes just aren’t worth the effort. With our environments continuously becoming more hostile and elaborate, doing nothing means losing ground. BUT, change does not assure improvement, and change for the sake of change may make things worse. At the risk of offending some friends in the business, spending weeks or months researching a new anti-virus solution, then spending the time and money to implement it may not be worth the effort and investment. Some poorly thought out “improvements” will actually make your environment less robust, and a lack of familiarity with new systems can set back your ability to properly manage and secure your environment. Change for the sake of change is crap. I would suggest you instead spend that time on filling known holes in your visibility and awareness- such as log aggregation and analysis (Disclaimer: yes, I know- I work for a company which sells this kind of tech. I have advocated this for years, it isn’t about sales), or application whitelisting, or improved patching- something, anything, that can actually move you forward.
Unless you are one of the “lottery winners” who can make big things happen fast, focus on the incremental changes you can make today. And keep a wish list handy for when you win the lottery.
Jack