Archive

Archive for the ‘Musings’ Category

Incentivizing “Makers”

August 14th, 2013 Comments off

buildThis post was directly inspired by @secmoose and I having a conversation over the last week, and was originally driven by my disappointment this year at DEF CON that, once again, we’re idolizing people that break things. To be clear, I break things. I have nothing against pen testers (I am one) or security researchers. But we show up in Vegas, listen to people talk about breaking stuff, try to break stuff, and then go home. Who builds anything? I know the DEF CON Kids program is doing a bit of this (awesome) and there’s certainly a handful of IR/intrusion analysis/monitoring/etc talks…but we are definitely skewed towards the “I broke this, look at me!” scene.

What to do? Well, here’s what I am NOT suggesting – let’s NOT stop what we’re doing. We are exposing some awesome issues, having better conversations than ever before (and with the NSA listening in to all of them, what could be wrong?), and slowly and steadily marching onward in this bizarre field. No, what I’d like to see, at least an initial dialogue on, is how we incentivize people who defend and build security versus find flaws in it. We all know that both are critical. So what can we do to get more “build” and “innovative defense” talks at cons, as well as activities that have a more dominant “build and defend” element?

@secmoose had some great thoughts on a more defense-oriented aspect of CTFs. CTFs are great for building and testing skills, but primarily for the offensive side. While there are definitely defense aspects included today (malware reversing, PCAP manipulations, “waterholing”, etc.), there could probably be a lot more. What about an entire campaign focused on “active defense” aggravating attackers using techniques and tools like those in the ADHD distro from @jstrand, @secureideas, and @pauldotcom? More “innovation” ideas on tools for defeating attacks, identifying malicious behavior and thwarting it? Just thinking out loud, really. Would love other ideas and thoughts you guys may have.

In fact, and this was one of my talk ideas for DEF CON this year (rejected) that we look at what the original spirit of a “hacking conference” was, and try to get back to those roots. Let’s invite more people that have nothing to do with breaking, building, *anything* in security, but have great ideas and do other work in science, robotics, engineering, etc. Let’s get some new blood and people outside our industry thinking about some of this and try to get back out of the box we’re in, creatively. Who knows? Could be fun.

Categories: Information Security, Musings Tags:

It is NOT time to “professionalize” information security.

May 24th, 2013 13 comments

AlDonaldsI recently read an article that was posted by my friend Brian Honan titled “Is it time to professionalize information security?” I know this debate’s been going on for a bit. I have a lot of respect for Brian (who supports licensing or “professionalizing” infosec), for a lot of reasons. If you’ve ever met the guy, and/or know of his accomplishments and track record, you likely do too. So to be clear, my opinions in this matter have nothing to do with Brian, and everything to do with what I see as a bad direction to take in our industry right now.

People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.

We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.

We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.

The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!

C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.

Categories: Information Security, Musings Tags:

Freaks and Geeks and Subcultures

March 20th, 2013 1 comment

In the last few days, there have been a flurry of stories about this supposedly sexist scenario at PyCon called Donglegate. Two dudes told some stupid dick jokes (referring to them as ‘dongles’) in the audience, a prominent female speaker heard them behind her, and she opted to make a big deal about it. Such a big deal, in fact, that they got fired from their jobs. I’m going to pull the “What the F***” card on this one. Lady – find somewhere else to make your soapbox stand, would you? This industry has REAL issues with sexism, but stupid dick jokes aren’t the problem, especially when they were obviously meant to be private conversation and not directed at anyone with malicious intent. Sheesh.

There’s been a lot of drama in the IT, and specifically the security, industries in the last few years. I think we’re experiencing a sort of cognitive dissonance, really. We keep being told that we need to be more professional and businesslike, so we are trying VERY hard to fit this ideal as an industry. I’ve come around on this thing, though. I am a product of a subculture, and I like that subculture. I like nose rings, tattoos, colored hair, stupid black T-shirts with juvenile and snarky slogans, and the idea that we still might be the smartest people in the room. And I don’t want to change ALL of it to fit an ideal someone else is creating for me.

I clean up well. I can wear business clothes and hang out in corporate environments with clients all day, and so do many of you. But I’m still the same tattooed geek who has been breaking shit since the 70’s. A lot of this drama, I think, is us feeling like we need to behave in a certain way to attain credibility…for SOME reason. We should stop this. I never want to hear this dumbass “getting a seat at the business table” crap anymore. If that is your goal in life, play the corporate politics and let the geeks do our thing. But do NOT deliberately create strife for others who are being nerds in their own culture, with their own peeps, and hurting no one in the process. If a crime is committed, do something. If someone offended you? FFS, get over yourself and adjust, or find your own damn subculture where you don’t need thick skin to hang with the people in the black T-shirts. Because we’ll be telling dick jokes. Awkwardly, granted, but…that’s us.

Categories: Musings, Rants Tags:

2012: Over and Done With.

December 31st, 2012 1 comment

Well, this is really more a footnote than anything. Did 2012 go the way you wanted it to? Here on New Years Eve, hanging with Karrie in Vegas, it’s a great time to look back and reflect on how the year went. Did I accomplish my personal and professional goals? Did I do anything interesting/unusual? Did I learn anything? These are the kinds of questions all of us should be asking, of course. A little introspection never hurts…right?

There’s been a lot of acrimonious discussion in the security community this year…and I found myself becoming completely and totally desensitized to much of it. Why? Not because I’m callous or don’t care. No, because I have progressively grown more focused on discourse that actually focuses on real-world issues or things we can do…I’m not interested in emotional diatribes, whiny passive-aggressive rants, or philosophical musings on why security is “broken”. I am all about action, pretty much all the time. And, my friends, so should you be. Get out of this sad bitching about what is broken, what is wrong, who is bad, why the “industry” or “community” is broken or messed up…none of this does a damn bit of good.

Get out more. Get some friends and hobbies outside infosec. I have said this a million times, but it bears repeating. If, at the end of your life, you can only look back and think about all the bullshit “Internet friendships” you’ve had (or not had), then you’ve failed. A life is supposed to be interesting, full of crazy experiences, travel, experiments (both failed and successful, doesn’t matter), and so on. Myopically dwelling on the “infosec community” does you, and likely the community, a disservice. There’s more to life. Go forth, solve problems, come up with outlandish goals and plans, enjoy your family and people you see IN PERSON, and most of all…HAVE FUN. Don’t sit around stewing about how we’re NOT doing this, vendors are bad, business doesn’t listen, etc. Useless. Focus on what you CAN do, SHOULD do, and then DO it. Be positive. And, perhaps most of all, don’t get all caught up in the politics or the silly rantiness of those who have nothing better to do than sit in front of their %&* computers and bitch. You don’t have to be one of those people. I’m going to get away from that crap as much as possible in 2013 and beyond. Hopefully you will too.

Happy New Years!

–Shack

Categories: Musings Tags:

Cyberpunk and Music, Community Style

November 3rd, 2012 1 comment

In the last few weeks, I put out a call to the infosec community on Twitter for some new ideas on electronic music and Sci Fi books in the “cyberpunk” genre. Tons of you responded, and I wanted to capture this in a blog post to share the feedback with anyone who might be interested in this. Little things like this remind me of just how awesome our community is – thanks a ton to everyone.

 

Music: Was looking for some new electronic music, NO DUBSTEP (because it sucks.) Here’s what came back:

  1. Polyfuse – http://www.polyfuse.net/- Awesome!
  2. Loscil – cool ambient stuff. http://www.loscil.ca/ but check his Bandcamp site for moar. http://loscil.bandcamp.com/
  3. Emancipator – cool, sort of mellow and lots of different instruments. http://www.emancipatormusic.com/ and http://emancipator.bandcamp.com/
  4. Welder – This is growing on me a LOT. Really environmental stuff. http://www.last.fm/music/Welder
  5. Biosphere – Holy….chilling, Batman. Really smooth and sort of spooky. http://www.biosphere.no/
  6. Kiln – Really cool and organic. Very interesting percussion. http://www.kilnaudio.com/
  7. Blue Sky Black Death – still listening, heard a few things I am digging. http://bsbdmusic.com/
  8. Big Gigantic – some of the better beats I heard, some of their stuff is a little shrill, though. http://biggigantic.net/
  9. Carbon Based Life Forms – Definitely some of the better ambient I’ve come across in a while. http://www.carbonbasedlifeforms.net/

Books: I asked what people’s favorite cyberpunk books were (besides “Neuromancer”), and got the following:

  1. “The Powers of the Earth” by Travis Corcoran: http://morlockpublishing.com/the-book/
  2. “Mrs. Frisby and the Rats of Nimh” by Robert C. O’Brien: Cool suggestion, Davi! http://www.amazon.com/Mrs-Frisby-Rats-Aladdin-Fantasy/dp/0689710682
  3. “The Shockwave Rider” by John Brunner: One of my favorites, too. http://www.amazon.com/Shockwave-Rider-John-Brunner/dp/0345467175
  4. “The Moon is a Harsh Mistress” by Robert Heinlein: http://www.amazon.com/Moon-Harsh-Mistress-Robert-Heinlein/dp/0312863551/
  5. “Schismatrix” by Bruce Sterling: http://www.amazon.com/Schismatrix-Plus-Complete-Shapers-Mechanists-Universe/dp/0441003702/
  6. “Diamond Age” by Neal Stephenson: http://www.amazon.com/Diamond-Age-Illustrated-Primer-Spectra/dp/0553380966/
  7. “Accelerando” by Charles Stross: http://www.amazon.com/Accelerando-Singularity-Charles-Stross/dp/0441014151
  8. “Feed” by M.T. Anderson: http://www.amazon.com/Feed-M-T-Anderson/dp/0763662623/
  9. “The Quantum Thief” by Hannu Rajaniemi: http://www.amazon.com/Quantum-Thief-Hannu-Rajaniemi/dp/B008W3CR8U/
  10. “Snowcrash” by Neal Stephenson: Of course. 🙂 http://www.amazon.com/Snow-Crash-Bantam-Spectra-Book/dp/0553380958/
  11. “Count Zero” by William Gibson: http://www.amazon.com/Count-Zero-William-Gibson/dp/0441013678/
  12. “The Difference Engine” by William Gibson and Bruce Sterling: http://www.amazon.com/Difference-Engine-William-Gibson/dp/0440423627/
  13. “Burning Chrome” by William Gibson: http://www.amazon.com/Burning-Chrome-William-Gibson/dp/0060539828/
  14. “Ready Player One” by Ernest Cline: http://www.amazon.com/Ready-Player-One-Ernest-Cline/dp/0307887448/
  15. “Altered Carbon” by Richard Morgan: http://www.amazon.com/Altered-Carbon-Takeshi-Kovacs-Novels/dp/0345457692/
  16. “Everyone in Silico” by Jim Munroe: http://www.amazon.com/Everyone-Silico-Jim-Munroe/dp/1568582404/
  17. “Ender’s Game” by Orson Scott Card: Of course! http://www.amazon.com/Enders-Game-Ender-Book-1/dp/0812550706/
  18. “Cloud Atlas” by David Mitchell: http://www.amazon.com/Cloud-Atlas-Novel-David-Mitchell/dp/0375507256/

Kevin Riggins also pointed me to this list: http://en.wikipedia.org/wiki/List_of_cyberpunk_works

Anything else to add, please include in the Comments, and thanks again!

Categories: Musings Tags:

Infosec’s Most Dangerous Game: Groupthink

October 12th, 2012 3 comments

These days, I am very, very afraid for the future of CISOs. Over the past few years, and specifically the past 12 months, I have become increasingly alarmed at the level of “groupthink” and “synchronized nodding” going on with security executives. Here are some of the things I am seeing:

  1. Lots of talking about the same shit, with absolutely no innovation at all. Good examples include metrics (we need them! they’re IMPORTANT!) and talk about policy and governance that usually means absolutely nothing.
  2. A desperate need to find “the metrics” to report to “senior management” – there is no such thing. Your management, in all likelihood, does not want any tactical numbers on antivirus events, IDS alerts, or such blather. They want real risk advice on business goals and functions. Period.
  3. Managing by managing what everyone else is managing. You would not BELIEVE how many security products get purchased because other security executives are buying them.

Most CISOs are smart folks. You got to that spot because you’re competent, or maybe more politically astute, or ideally both. We need to break out of this. I remember a while back when everyone in infosec lamented that we “never communicated”. Now, I almost think we OVER-communicate. It’s easy to play it safe by following what others are doing – I hear this in SANS classes, IANS forums, and sporadically with consulting clients. Not overtly, but sort of “between the lines”. We need innovation, and that means getting outside the echo chamber of security. I give a talk at a few IANS forums that adapts the concepts from the book “The Lean Startup” into the world of enterprise security programs to try and kickstart this. I don’t know that I do a great job, but I’m going to keep trying. Here’s a few key pointers from that talk.

First, think of your security program like a startup, and the overall program and its performance as your product. Ask yourself a few questions, and answer them honestly every day:

  1. Do Consumers Recognize the Problem We Solve?
  2. If there’s a solution, will consumers buy it?
  3. Will consumers buy the solution from us?
  4. Can we build a solution for the problem?

Your “consumers”, of course, are your constituents, ranging from employees to senior leadership, to customers and partners. Think about how THEY look at security, why they care or don’t care about it, and you’ll be on the right track.

The next thing to do is leverage the “Entrepreneur Pyramid”, shown below:

Create a security program mission/vision statement, and make it realistic. Define a short and long-term strategy, and be willing to “pivot”, or change, that strategy often – maybe every 6 months or even more regularly. Look at your product today as the MVP – Minimum Viable Product. Then optimize and build. To do that, leverage the Feedback Loop:

Focus on the major phases:

  • Build from ideas: Get creative. Think about different ways to accomplish your goals, and get feedback and input from people, and NOT just security people.
  • Measure your product, often: How effective are you? Are you missing attacks? Are you educating the business? Are you facilitating business, and becoming more trusted by business unit leaders? This is metrics, perhaps, but ask yourself what success looks like…?
  • Learn from the data: Data should drive insights. If it isn’t, you’re wasting time collecting it in the first place.

My final concept to try is “The Five Whys”. For every brainstorming session or security meeting, when trying to solve problems, come up with new ideas, or determine a root cause, drill into each idea five times. Not to be annoying, like a 3-year old that won’t quit, but to see how deep you can get, and force that “out of the box” thinking. In many cases, by the 3rd or 4th “why”, you’ll be really digging for answers or more ideas. That’s OK! Just keep digging.

This isn’t a perfect science, but if we want to be real business leaders advising on risk, we need to start thinking of new ways to do it. I recommend reading Eric Ries’ book, too – it’s really good.

Categories: Information Security, Musings Tags:

Your CISSP is Worthless. Now what?

August 22nd, 2012 30 comments

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring <puke> CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at http://www.jadedsecurity.com.

Categories: Information Security, Musings, Rants Tags:

Infosec Thought Followers

June 15th, 2012 Comments off

If you have been in this field for any length of time, you’ve undoubtedly come across the term “Thought Leader”. Ugh.

What, exactly, is a “thought leader” in this space? Someone who discovers amazing new technologies? Someone who predicts the direction of security? Both? Neither?

This is one of those terms that just makes my skin crawl, and here’s why. I have not seen anything wholly NEW in this field in a long time. In fact, just about everything I see is some variation on an existing theme, in just about every way. Most of the people blogging, ranting, speaking at cons, etc. are all doing something that builds on work that came before…and that doesn’t necessarily make it bad, of course. Far from it – there’s some amazing stuff happening right now all over the place in infosec. But we’re really all building and feeding off one another. Some call it the “echo chamber”, since we tend to bounce things back and forth and love to hear ourselves think. In some cases, this is definitely true.

A while back, many were lamenting that we never talk in the security community. I think the opposite is true – I think we talk a LOT. My only lament is that we seem to talk about nothing but infosec! There is, of course, more to life than infosec…but I digress.

So next time you see someone labeling themselves as a “thought leader”, you should first laugh at their likely douchy nature, and then ask them exactly how they’re “leading”. Real leadership in this space tends to happen at a level unobserved by most. The CISO who backs her team politically and fights for key projects, the analyst who writes a sweet Python script to automate some rote pen testing task, the incident handler or forensicator who digs for hours to find the root cause of an event, and so on. That’s leadership, and it happens all the time.

As for thinking? Really, we’re all thought “followers” who absorb from one another. That’s what the community is good for. And we need all of it we can get.

Categories: Information Security, Musings Tags:

Lies, Damn Lies, and Infosec.

May 25th, 2012 1 comment

The little lies we tell ourselves are usually the most insidious. Lies about our weight, our success in life, our relationships. We believe these lies. Or we *want* to, at least. They make us feel better, most times. But they creep up on you over time, and when you really, truly discover that they’re lies, after all, they hurt. And they can hurt a lot.

We just might be lying to ourselves in the information security industry.

After a great and spirited debate on Twitter (naturally), a realization dawned on me. Well, two realizations, but I’ll start with the lie.

We may never be seen as business “partners”, or something that really adds value in an organization.

We’ve been struggling with this for years. “Get a seat at the business table” blah blah blah. What if we’re not meant to have one? What if the notion of a “Chief Security Officer” is most businesses’ (and the universe’s, perhaps) grand joke upon us and our industry? Any of you reading this that hold a CSO or CISO title…do you feel like you’re treated as a true executive? My guess is no. I’ve been one, I know. People are pretty nice to us, maybe. But we’ll never have the clout of a VP of Sales, or a CFO.

And down deep, I think we know this. 

But we keep on lying. Now, lest you sink into a quagmire of depression from which you’ll never surface after reading this, we DO have some value. Of course we do! I don’t need to describe all the things we do, and the unemployment rate in infosec right now supports the notion that we are serving a definitive purpose. But time and time again, I hear my fellow infosec folks opine that things are futile, we’re not making a lot of progress, we’re not “winning” (whatever that means in this business).

I’ve struggled with this for a long time. I’m a natural optimist, and I want (badly) to believe that we CAN “win” or succeed at beating back what for all appearances seems to be an unending tide of malicious and horrible crap. But this Twitter-borne realization dawned on me that I may in fact be lying to myself, and everyone else may be, too.

I said I had two realizations. The other came later, after my friends Kevin Riggins and Josh Corman pointed me to something beautiful. Neil Gaiman, a well-known fantasy author, gave one of the most incredible 20-minute speeches I have ever heard at a university commencement ceremony, and you can find the video here. I cannot encourage you enough to watch this video, it may give you something you didn’t know you needed.

There’s one passage in Neil’s speech that hit home, perhaps more than others:

So be wise, because the world needs more wisdom, and if you cannot be wise, pretend to be someone who is wise, and then just behave like they would.

So, for that second realization. I may be lying to myself, and you may be, too. As for me, I may not be the one to change the business world’s idea of infosec and the value we bring. But I’m going to pretend to be someone who can. And maybe that’s just as good.

Categories: Information Security, Musings Tags:

What’s RIGHT with Infosec

April 2nd, 2012 Comments off

There’s a lot of general negativity in the information security community, often represented as a sense of futility and continual failure. This makes sense intrinsically, especially when you take “security” as a macro-level topic across the spectrum of news, etc. It seems like everyone is failing all over the place, and the media just eats it up. But is this really the case? In certain situations, sure. Some organizations just don’t care as much, and some security professionals are unable to get the job done due to lack of skill, politics, too much workload, or plain old apathy.

This is not a “black or white” issue though. I think there’s a lot of good happening in this space right now, and it all fundamentally comes down to the maturity of information security as a discipline. I’ve said this for years, and it bears repeating – this field is still really in its infancy, and has a long way to go. This post is just me observing the state of things, and I’ll list a few points that I think illustrate the good coming out of our field.

  1. We are coming to the realization that we WILL be breached. This is a huge, fundamental shift in mindset that’s actually healthy, not redolent of defeatism. We have too much surface area to cover, not enough people and technology, and dammit, defense is HARD.
  2. We are all risk managers and advisors. This does not mean  we WIN or LOSE. We assess and advise, and then we live with the damn decision whether we like it or not. That’s how business has worked, and traditionally those organizations that were more willing to take risks and stick their necks out were rewarded (or crushed). You can’t expect business people to change that mentality overnight. And we’re starting to figure this out.
  3. A healthy offense can inform defense, and more and more organizations are figuring this out. And we’re actually getting better at it. Sadly, all the kids want to be superhax0rz, seems like defense is BORING. Maybe, but the truth of the matter is that most people aren’t cut out to be good superhax0rz, and without defense there would BE no offense. Let me say that another way. The only reason we do pen tests is to find holes and fix them. In other words, defense. So we’ve got a Yin and Yang deal going on here, and this is also becoming a healthy realization in more organizations than ever.
  4. We’re becoming less tolerant of bullshit bureaucrats who spout “policy” and “governance” with no credible skills to back this up. Thank God. If you’re the boss (CSO/CISO, etc) and have no real technical skill, then block and tackle for your folks, then get the hell out of the way and let them make you look good. Still more “infosec politicians” than I’d like to see, but at least we’re learning to work around this issue.
  5. We’ve realized the government is not going to help/save us. This may seem obvious to longer-term practitioners, but we’re basically on our own, and we’re just getting on with it.
  6. We’ve got some hella smart new blood coming into this field. If we could stop being crusty, snarky ASSHOLES long enough to embrace them, we’d see the industry advance even faster. 🙂
This post somewhat parallels my previous post titled “Doom, Gloom, and Infosec“, where I also outline some solid benefits of working in infosec (good money, smart people, etc.). This post is more about the overall advancement and maturity of the industry as a whole, and I’m glad to see it. Despite the sensationalized failures, we’re headed in the right direction, I’m sure of it.

 

Categories: Information Security, Musings Tags: