Shostack + Associates > Shostack + Friends Blog Archive > What should the new czar do? (Tanji's Security Survey)

What should the new czar do? (Tanji's Security Survey)

Over at Haft of the Spear, Michael Tanji asks [link to http://haftofthespear.com/2009/08/cyber-security-leadership-surv/ no longer works] :

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

My three:

De-stigmatize failure. Today, we see the same failures we saw yesterday because we don’t talk about what went wrong. We laugh and point fingers. We need to admit that everyone gets hacked, get over it, and start talking about how it happened and what we can do to learn from it. (This isn’t the same as accepting failure, it’s saying that we understand it happens, and starting to distinguish between what failures might be in our control, and how to expound that set.)
Gather data. This is a mirror to the de-stigmitization of failure. The czar should gather as much data as they can on a need-to-share basis, starting with federal systems. What happened? How did the failure manifest? Were there controls in place? Were they credible? Were they managed and monitored?
Shoo the mathematicians. No, not shoot, shoo. Send them off the pedestal for a while. Security is a social value, and as a social value, we need to study the human aspects of it like we did at the workshop on security and human behavior. [Update: What I really want is not to eliminate math, but to move to a diverse set of analytic tools. Of course we need math to analyze data, but I think we’ve gone too far with mathematical models, proven security, and need more engineering rigor. Engineering rigor is obviously based on math, but not done by mathematicians.]

These three goals are possible from a bully pulpit. They don’t require a lot of budget. (Heck, the datalossdb.org guys do it on a volunteer basis.) They’ll be transformational in the way we approach security.

Bonus fourth task: fine anyone $20 each time they say “best practices.”

What’s your take? What should the czar be trying to accomplish?

[Update: Pete Lindstrom takes up the challenge in “If I were a Czar.” Who else wants to take a whack at it?]

Originally published by adam on 19 Aug 2009
Last modified on 19 Aug 2009
Categories: government Uncategorized

5 comments on "What should the new czar do? (Tanji's Security Survey)"

Pete says:

19 Aug 2009 at 1:32 am

If you don’t use math or best practices, what do you endorse?
Adam says:

19 Aug 2009 at 2:09 am

I didn’t say don’t use math, I said without data there’s nothing useful for them to do.
Dave Hull says:

19 Aug 2009 at 1:35 pm

Love the post Adam. We need a requirement for something like NTSB style accident reports in state breach notification laws.
Alex says:

19 Aug 2009 at 2:44 pm

Ditto Dave Hull
Pete Etep says:

22 Dec 2009 at 10:44 pm

The systematic deception of security threats ought to be number one.

Comments are closed.