Shostack + Friends Blog Archive


Apologies to Richard Bejtlich

In the second half of my recent post  Just say ‘no’ to FUD, I described Richard Bejtlich’s post at Tao of Security as “FUD in other clothing”.  As Richard and Wade pointed out in their comments, this was over-reaching.  I apologize.

There is an element of FUD in Richard’s post, but it was a small element.  I latched onto his use of the concept of “existential threat”:

I have seen IT departments aligned under security because the threat to the organization was considered existential.

Of course, Richard isn’t saying that every organization should be run this way or that every organization faces existential threats due to information risk.

But I do wave the FUD Flag because the phrase “existential threat” is wa-a-a-a-a-ay over used in security and information protection circles.  As a basis for comparison, consider a case history of a real existential threat (non-security) — the Lehman Brothers liquidity crisis they faced just before the Sept. 15, 2008 collapse.  The other large investment banks faced a similar threat through a “domino effect” of collateral calls.  By this standard, existential risk due to InfoSec is extremely rare, in my opinion.  Yes, there are a few organizations that face existential risk due to threats to their information systems, but I would argue that such situations are extremely rare.  It’s interesting to note that one of the most likely existential threats rarely gets any attention from InfoSec professionals, namely the intersection between executive fraud and information security, a.k.a. the Uber Insider Threat.   (Scenario: SocGen mated with WorldCom and TJX, with some Madoff mixed in.)

For, the vast majority of organizations, information risk is “parasitic” to varying degrees.  Security breaches are a drag on performance.  The really bad ones may be extremely painful, but they won’t be severe enough to drive you out of business or to destroy your economic ecosystem unless you are already on the brink of collapse. 

Therefore, waving around the phrase “existential threat” smells like FUD to me.

As for Richard’s main points about what is really needed (“Leadership”) and what it looks like, I disagree for the reasons I stated.  Gunner Peterson has called this approach “The People’s Republic of IT Security“:

the People’s Republic of IT Security is just waaaayyyy smarter than the business folks, [so] if we just gave IT Security control over all business strategy the stock price would go right to $120 [from the current price of $10].

I made the mistake in my post of lumping both objections (FUD and People’s Republic) under one heading (FUD).  For that, I’m sorry.