Why I'm Skeptical of "Due Diligence" Based Security
Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”.
Recently, a couple of folks have been talking about how security should just be a “diligence” function, that is, we should just prove that we’re doing best efforts and that should be enough. Now conceptually, I love the idea that we can prove our “compliance” or diligence and get a get out of jail free card when an incident happens. I always think it’s lame when good CISO’s get canned because they got “unlucky”.
Unfortunately, if risk management is infeasible, I’ve been thinking that the concept of Due Diligence Security is complete fantasy. To carry the analogy, if Risk Management is the United Nations, then Due Diligence Security is the Justice League of Superfriends. With He-Man. And the animated Beatles from Yellow Submarine. That live in the forrest with the Keebler elves and the Ewoks and where the glowing ghosts of Anakin, Obi-Wan and Yoda perform the “Chub-Chub” song with the glowing ghosts of John Lennon and George Harrison. That sort of fantasy.
DUE DILIGENCE BASED SECURITY IS AN ARGUMENT FROM IGNORANCE
Here’s the rub – lets say an incident happens. Due Diligence only matters when there’s a court case, really. And in most western courts of law these days, there’s still this concept of innocent until proven guilty. This concept is known as the argument from ignorance in logic and it is known as a logical fallacy.
Now arguments from ignorance are known as logical fallacies thanks to the epistemological notion of falsification. Paraphrasing Hume paraphrasing John Stuart Mill – we cannot prove “all swans are white” simply because we’ve observed all white swans – BUT the observation of a single black swan is enough to prove that “not all swans are white”. This matters in a court of law, as your ability to prove Due Diligence as a defendant will be a function your ability to prove all swans white – all systems compliant. But the prosecution only has to show a single black swan to prove that you are NOT diligent.
Sir Karl Popper says, “Good luck with that, Mr. CISO”.
IT’S A TRAP!!!
The result is this – the CISO, in my humble opinion, will be in a worse condition because we have a really poor ability to control the expansion of sensitive information throughout the complex systems (network, system, people, organization) for which they are responsible. Let me put it this way: If information (and specifically, sensitive information) operates like a gas, automatically expanding to where it’s not controlled – then how can we possibly hope that the CISO can control the “escape” or leakage of information 100% of the time with no exceptions? And a solitary exception in a forensic investigation becomes our black swan.
And therefore… When it comes to proving Due Diligence in the court of law – Security *screws* the CISO. Big Time.