Home > Information Security > A Glimpse Into the Security Mindset

A Glimpse Into the Security Mindset

January 22nd, 2010

backtofuture_228x224All IT professionals, regardless of specialty, face a number of challenges. Some, if not all, of these will affect most IT professionals in some way or another throughout their career:

  • Lack of budget, IT is considered “overhead”
  • Lack of respect from other business units, we’re only one step removed from R2-D2
  • Lack of social skills, you spilled Mountain Dew on your too-short pants at the meeting
  • Politics, the smiley well-dressed guy that wears too much cologne with the football analogies is better-liked than you

There’s also a bevy of more specific technical challenges that could plague IT folks (this list is almost infinite):

  • You are trying to integrate new platforms into the environment
  • You are trying to keep legacy systems afloat
  • You are trying to communicate with the mainframe people, who DO in fact resemble R2-D2
  • Upgrading/replacing systems
  • Upgrading/replacing applications
  • Managing users, scripts, logs, storage, networks, devices, etc etc etc.

Security people have a challenge that is 100% unique to their discipline: we have adversaries.

Now I know some of you in areas other than security will argue that you have adversaries, too. If security is even a tiny part of your job description, then you may be right. But the burden of fending off adversaries, both internal and external, falls squarely on the shoulders of information security teams. This lends an entirely new dimension to the concerns that plague everyone else:

  • We cannot prioritize new functionality over security and stability. Ever. Lest adversaries take advantage of this and exploit vulnerabilities.
  • Things like coding languages employed, platforms chosen, and applications deployed really need consideration not from what they offer us, but for how breakable they are.
  • The concept of time is more relevant to us than anyone – our priorities can, and should, change as the threat landscape does. We have opponents, some coordinated and others standalone, actively trying to come up with new ways to cause us harm. This means we need to ensure these new methods they’re employing will be as ineffectual as possible, all the time.

This is an over-simplification at best. However, it’s an oft-overlooked factor that tends to be forgotten in the day-to-day dynamics of our interactions.

Categories: Information Security Tags:
  1. January 22nd, 2010 at 16:40 | #1

    Hi Shack

    I always call it “managing conflict” in that there is this great triangle of things that are constantly at odds with each other: cost, security/paranoia, and useability/operations. If any one of these 3 wins out, it does it at the expense of the others.

    If you can’t manage conflict, you might want to find another career path, Mkay? =) Actually, I think the whole lot of security people thrive on conflict. If we don’t have enough of it, we start making up reasons to have more of it because if we’re not a target, we don’t know how to behave.

    I’m still trying to figure out if security attracts argumentative people or if it turns people argumentative over time. Chicken-egg, what does it matter when we’re all just rude, abrasive jerks anyway? =)

  2. admin
    January 22nd, 2010 at 17:42 | #2

    @rybolov
    This is a good breakdown, actually – and I think the argumentative point is well made, probably somewhere in the middle. The reassuring thing, perhaps, is that we will always be a target to someone. I would bet on this.

  3. January 28th, 2010 at 00:14 | #3

    I don’t completely disagree with your point.

    Don’t some others in IT, particularly those in product development roles and those within emerging businesses feel they have adversaries in the guise of competitors? Some known and some unknown? Is what the Amazon Kindle dev team thinking today with the iPad release adversarial?

    At the ISACA Vegas conference there was a lot of talk about the dissatisfaction in the info sec profession. To answer part of my own question, many of my clients seem to have a bunker mentality as they live a Sisyphian life (Read: Same thing, different day) fighting the fight. Their peers in product development get the occasional win of a release, a product award, etc. while the infosec adversary never goes away.

    Other differences between the competitive adversary and the threatening adversary you are describing?

    Love the blog by the way.

Comments are closed.