Category: argument

The Best Question In Information Security

Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue with Gunnar’s claim. Who benefits is a great analytic tool to bring to the table, but it’s not the most important. The most important question isn’t even “Are you getting the outcomes you want?” or even “Are your controls producing the outcomes you want?

I really like both of those questions, but I don’t think they quite capture the position of best. They’re better than many, which is an important step forward. But we can still do better. Security isn’t something people want in and of itself. It’s a property that you want for things. In the same way that people don’t go and buy a usability product, they don’t really want to buy security products. They might buy a reliability product (like a fail over system, or a high availability storage system), but they’re buying it to enable something else. And even as we work on our speciality, and even as I think it’s important, it’s part of the business, and so my proposal for today’s most important question in to ask security is:

How’s that working out for you?

It’s sad how often that brings smart folks in security to a dead stop. We can and should do better, and I think that “How’s that working out for you” helps us get better outcomes faster than “qui bono.”

And I’m optimistic that someone will say that question isn’t working very well for them, and offer up something better.

For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.

#newschoolsecurity

The stupidest post of the year?

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days.

Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).

My take? Anytime someone says that someone else in a different role asserts that “leaders must,” what they’re really saying is “I have no arguments beyond the assertion.”

Were it so obvious as is asserted, there would be no need to assert it. No one bothers to say “Business leaders need to understand that the sun will rise tomorrow.”

Similarly, if security were an obvious savings of time and money, then there would be no need to claim that leaders just needed to wake up to that fact.

Feel free to offer up entries for sillier in the comments. Including, of course, this post.

Wretched Word of the Week: Trust

Trust

Where to start on this one?

Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I must ask in what sense is trust anything but jargon (at best) or newspeak (at worst), with hyperbole being a middle interpretation?

Isaac Newton said that for every hyperbole, there’s an equal and opposite hyperbole. Confirming this law of nature, Richard Stallman has declared that trusted computing is actually treacherous computing. Thus we have Orwell satisfied. War is peace; freedom is slavery; trust is treachery.

A good deal of the problem is that trust is transitive. No, not that way. Not in the sense that if Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol. Transitive as in verb that takes a direct object. Of course we all trust our mothers. But if you “trust your mother with your life,” does that mean you trust your mother to change a firewall rule in your router? Trust is not only a transitive verb, but it is a situational transitive verb.

We in security use trust not as a transitive verb, but as a noun, and worse, an adjective. This leads to many strange things. Among them:

  • “Trust is willingness to do something risky on behalf of another human.” I wish this were merely a typo because this is the opposite of trust. I might be willing to let you do something if I trust you, but your willingness is not trust, it is willingness. Trust may be a precondition for my willingness, but it may be that my willingness is thin because I have no choice. I trust Bill Gates, Steve Jobs, and Linus Torvalds, but it’s not like I have an alternative.
  • “Trust is risk.” Not bad. But as we know from economics, risk is money. Therefore, through transitivity, trust is money.
  • “A trusted system is one that can screw you.” Yup, and precisely my point. When I trust my OS, I trust it in the sense that I just have to take a deep breath and hope.

Let’s stop using the word trust. Don’t say trustworthy metadata if you mean believable metadata. Don’t say trust if you mean control, risk, willingness, confidence, or reliance. Use those words. Trust is stale and vague. It would be best if we stop using it.

That is easier said than done, given the way we habitually use it. Nonetheless, we should fight new uses of the word, if for no other reason than a smart consumer will run screaming if they hear you use it, because when trust is used with security, it means something bad is going to happen. It means exactly what “This won’t hurt a bit” does. The faster you flee it, the faster the irony becomes apparent to all.

Photo “Trust” courtesy of yourclimbing.com.

No soup for you!

Harkening back to Adam’s post a while back concerning EC being blocked or miscategorized by various “security” products, tk of nCircle posts that nCircle.com has been blocked from some security vendor sites.

This reads to me like the equivalent (speaking of analogies) of Toyota blocking Honda.com, rather than the categorization of nCircle.com as evil in some more general sense.  Still, it makes no sense to me, at all.

Navigation