Shostack + Friends Blog Archive


Blogs worth reading, an occasional series

Dan Lohrmann’s “Why Do Security Professionals Fail?

So what works and what doesn’t seem to make much difference in getting consistently positive results? My answers will probably surprise you.

I’m not the first person to ask this question. Conventional wisdom says we need more training and staff with more security certifications. Others say we need to pay Information Assurance (IA) staff better, gain a better understanding of the bad guys, provide more executive leadership training or get more top-level executive buy-in. Of course, I support all of these items – who can argue against more executive buy-in?

Nevertheless, I’ve seen security staff around the country with all of the right boxes checked, and others with none of the above, be successful. For example, some people are able to obtain the executive buy-in for security when they don’t initially have it, while others who initially have significant executive buy-in either lose that support or can’t seem to use this advantage to get closure on key security projects.

The corollary is also true. I’ve seen security professionals with all of these positive attributes fail miserably…

The series is worth reading.