From: security curmudgeon (jericho@attrition.org)
To: InfoSec News (isn@attrition.org)
Cc: errata submission (errata@attrition.org), thornton.may@guardent.com
Date: Sat, 13 Oct 2001 23:30:40 -0600 (MDT)
Subject: Re: [ISN] Info Security 'Teachers' Need More Learning 


: http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html
: 
: THORNTON MAY
: October 01, 2001 

: Security professionals insist that better education of business
: executives is needed. They're right, but while they think they should
: be the teachers, they really should be the students first. At first
: glance, writing down what must be known about security and privacy and
: who needs to know it appears to be pretty basic. But security and

*Appears* to be basic, yes. Anyone that has been in the field for more
than three months knows this often gets a bit more complex as soon as your
client has more than seventeen computers.

: privacy professionals appear unable to put the security and privacy
: to-dos in the proper context for people who manage sensitive
: information. Why? Security people have never been known to distinguish

Says who? This point alone could be argued back and forth for a few weeks
I think. The amount of books on security range from "Comp Security for
Absolute Dimwits" to highly technical books that would mystify the masses.

Creating a basic list of 'to-dos' is simple and done often. Finding a way
to get your clients to comply with that list and not lapse is the real
trick. 97.3235% of computer security breakdowns at client sites is due to
their inability to follow the security policy in place (1). Further,
83.9823% of those cases were deemed "lack of common sense" (2). 

: themselves with dazzling feats of writing. Dostoevski and Tolstoy were
: pithy compared with contemporary security and privacy policy writers.

The client leads these documents. They want wording that is specific,
repetitive, all incusive, repetetive, and lawyer appeasing. They ask for
it, security professionals deliver it.

: So, the first lesson at security school should be basic writing
: skills.

And the first lesson of journalism should be something about stereotyping
right? But hey, all journalists are morons (3).

: Then there's the "bedside manner" of security and privacy professionals.
: They tend to be very good at telling us what's wrong and what's broken,
: but most of them are mute when it comes to actually fixing the problem.

Most of them.. based on what? Can you share the material or survey that
backs this? And does this apply to the fine people at security companies
like Guardent? Or are they immune to your verbal beat down?

: Most security professionals would benefit from a bit of advice from
: journalists in the do's and don'ts of telling a good story. Executives

I find this extremely ironic. If security professionals are to follow in
the footsteps of journalists, they are fucking doomed.

1. http://attrition.org/errata/   Yeah, journalists are sure on top of
things.

2. Based on #1, security professionals would be telling their clients a
complete load of shit that had no foundation in reality. "Yes, this IDS
system will protect your entire enterprise wide organization, keep HR out
of Engineering, stop all your modem dialup problems, and prevent every
employee from being social engineered because they were dimwits. Honest." 

: of the future won't tolerate messages that aren't highly relevant to
: them and will filter them out. So, lesson three is storytelling.

Lesson three is NOT storytelling. Security consulting often involves
auditing of one type or another. In audits, you don't get creative or
wordy or beat around the bush. You find problems and provide solutions.
If your argument is that security professionals give crappy documentation
in their work, then say that. But don't recommend that they resort to
story telling as a solution. Leave that to the security professional
turned journalist for a day.

: Assuming that the security curriculum has been created and taught, the
: third question becomes, "Has the organization tested various audiences
: against that curriculum?" Again, we find that less than 10% do so.

And this is the fault of the security professional? How many time are we
asked to audit or secure a system, write a policy or something else, only
to find out that our recommendations were not followed up on for various
reasons? They run out of money, made their boss happy, satisfied legal by
meeting some minimal demands for security, who knows. Do you think that
security professionals hand over a security policy written to customer
specs only to say "thanks for the money, file this away and be sure not to
follow it!"?
 
: Three months later, we returned to that 91% and asked, "Have you
: become more active in designing and implementing information security
: and privacy programs?" Ninety-five percent said no. Executives endorse
: the theory and concept of security and privacy, but they don't walk
: the walk.

And this the fault of the security professional how?

And could you cite this survey please? I couldn't find it on the Guardent
web site. I did find this "gem" of an example though (4):
http://www.guardent.com/pr2001-06-25-01-GEM.html

This sounds exactly like what you are speaking out against. You want to
put all that in plain English?

: Thornton May is corporate futurist and chief awareness officer at
: Guardent Inc. in Waltham, Mass. Contact him at thornton.may@guardent.com

What a complete disappointment. 

Being with Guardent, I am just SURE that you and your firm isn't like the 
bad guys you talk about above right?


(1) I made this number up so we can both quote studies to back
    our argument. Like you, I won't provide a full reference.
(2) See number 1 hombre.
(3) And all security professionals are not journalists obviously.
    Hypocrite.
(4) ha ha i kill me with these puns


main page ATTRITION feedback