[Infowarrior] - Ranum: The Anatomy of Security Disasters

Richard Forno rforno at infowarrior.org
Sat Mar 28 00:04:06 UTC 2009 

Introduction: Truth

Since I started in security, 20 years ago, "they aren’t taking  
security seriously" has been the constant complaint of the security  
expert. Even in organizations where security is taken seriously, it  
has been at the expense of living in a constant relationship of  
opposing management or other business units. Some of us enjoy the  
strife; most don’t. In fact, most of us enjoy being employed more than  
we enjoy being right.

So, what’s going on? We’ve finally managed to get security on the road- 
map for many major organizations, thanks to initiatives like PCI and  
some of the government IT audit standards. But is that true? Was it  
PCI that got security its current place at the table, or was it  
Heartland Data, ChoicePoint, TJX, and the Social Security  
Administration? This is a serious, and important, question because the  
answer tells us a lot about whether or not the effort is ultimately  
going to be successful. If we are fixing things only in response to  
failure, we can look forward to an unending litany of failures,  
whereas if we are improving things in advance of problems, we are  
building an infrastructure that is designed to last beyond our  
immediate needs.

Our challenge, as security practitioners, has always been to balance  
risk – the tradeoff between the danger of doing something and the  
opportunity it presents. Since we’re not working in a field where the  
probabilities are simple, like they are on a roulette wheel, we’ve had  
to resort to making guesses, and trying to answer unanswerable  
questions. I don’t know a single senior security practitioner who has  
not, at some point or other, had to defend an estimated likelihood of  
a bad thing happening against an estimated business benefit. In those  
cases, the result has less to do with security and more to do with  
whose meeting-organizational skills are superior, or who’s better at  
explaining their viewpoint. I’ve seen major security-critical business  
decisions get made based on whose golf buddy runs what business unit –  
I’m very skeptical of the notion that "Risk Management" has any value  
beyond the butt-covering obviousness of having made an attempt....

< - >

http://blog.tenablesecurity.com/2009/03/ranums-rants-the-anatomy-of-security-disasters.html

More information about the Infowarrior mailing list