Shostack + Friends Blog Archive


Standing Still

Following up on Ben’s comment to s/green/secure/g,

infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening.

I’ll argue it’s even worse than that.

Since “secure” is neither achievable nor a static state, it can never be done and standing still means falling behind.  One of the frustrations that people express to me about Information Protection is that it’s never “done.”

Every hour of every day, some new threat is identified or exploit published.  Every single one of them could produce anything from a “move along, nothing to see here,” to a patching frenzy to a horrible realization that someone’s architectural trade-offs just failed very badly, which is to say, “expensively,” and now a whole lot of time and money is going to be required just to get back to the same level of risk they (thought) they had before they read that last email or news item.

So the workload increment here to go from falling behind to static state is not just fighting the fight, but also includes knowing what new risks are coming up that need to be managed.

The ones in the media or blogosphere are easy to deal with and mostly consists of reading through the journalistic hype so you can explain to your management why they should or shouldn’t be doing something about it.

It’s the risks that the company takes onto itself in the course of doing business that are hard.  Very rarely does anyone ferret those out for you, and if they do, it’s either to get your blessing (which may or may not be deserved) or to help settle some internal political fight which has nothing to do with security.

Then, you have to assess those risks accurately and recommend a course of action to manage the risk.  While this will usually be “accept” or “tell the IT Operations team to do their job,”  sometimes it’s asking a line of business to add additional controls or IT to deploy additional safeguards.  Naturally, they will never admit to having time or budget for this until you’ve backed them into a corner by exhausting all alterntives.

Finally, you’ll need to do this every day and still have the strength to stand firm and avoid contracting “security fatigue” when all this effort doesn’t even get your organization to “secure”–only (hopefully) “secure enough.”  Until you read that next news article or open that next email, that is.