Shostack + Friends Blog Archive

 

A Way Forward

Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security.

The first is that security experts are often excited by what we do. Many people have said to me “I can’t believe they pay me to do this!” That’s great — the enthusiasm, dedication and engagement that many security professionals bring to work helps us get through tasks which can feel depressing and futile. This enthusiasm can also lead to a great deal of attachment to projects. It can lead to frustration when our own risk assessments — as good as we can make them without outcome data — aren’t good enough to get things to go the way we know they ought to go so the business is protected.

There’s a constellation of ideas I talk about. There’s a crisis in information security, a need to change the way we work and the need to learn from other fields. And the passion that experts feel for our work makes those ideas threatening. It can seem as if I’m critiquing the way we do things out of malice, and that’s simply not the intent. I’ve been there. I’ve pounded the table and screamed at people. And I, and I think Andrew, wrote the New School so we can be more effective.

The second reason that I think we’re having trouble is that the personalization and attachment to our work makes mistakes feel like personal failures. They’re usually not. We get told that we need to write policies and force people to use 13 character passwords with 4 non-alphanumerics and changed every 3 weeks because that would lower our ALE if only we could calculate it. That it’s a best practice to claim that users are un-educatable and the problem. That if we fail our businesses will fail. That what that stupid engineer did was wrong. That’s the cultural orientation, the markers that we learn to use to identify each other. And when we fail after doing all of what we’ve been told, we feel it’s our fault. Our colleagues, our idols and our mentors can’t have been wrong, so it must be that we didn’t do what they said well enough. But no one wants to take blame, and so we double down on the same, failed, old school ideas and we hide our mistakes.

These are real and human reactions. I’m not critiquing anyone for reacting in these ways. We’re simply offering a way forward which has worked most everywhere it’s been tried.

3 comments on "A Way Forward"

  • Dennis says:

    “The second reason that I think we’re having trouble is that the personalization and attachment to our work makes mistakes feel like personal failures”

    This is an excellent point and one that I think applies to a lot of fields, including journalism and writing in general. Writing is such a personal craft that people tend to take any and all criticism very personally. That makes them more risk-averse and less willing to forward new ideas or look for interesting stories. I think that has contributed substantially to the me-too, vanilla reporting we see in all news media today, and we’re all worse off for it.

  • Rocky says:

    “The second reason that I think we’re having trouble is that the personalization and attachment to our work makes mistakes feel like personal failures. They’re usually not.”

    While responding to the latest orders from HQ to “do this stupid security thing because we believe it’s a Best Practice(tm)”, I had these thoughts:

    1 – We have a near infinite list of Required, or Recommended, Best Practices, … security things to do. In many cases, we (security practitioners) are doing the Recommending.

    2 – We will never get enough resources to do everything required or recommended.

    3 – Because of #2, we can rarely be held accountable for failures.

    Does this sound like a recipe for success?

  • ds says:

    >>
    1 – We have a near infinite list of Required, or Recommended, Best Practices, … security things to do. In many cases, we (security practitioners) are doing the Recommending.

    2 – We will never get enough resources to do everything required or recommended.

    3 – Because of #2, we can rarely be held accountable for failures.

    Does this sound like a recipe for success
    <<

    Rocky,
    Among the rules I try to live by as a security leader at my firm is this simple one: "If I am not accountable (or perceived as accountable) for security issues than I am not doing my job correctly."

    Your example points are signs od wrong thinking, IMO. Our job is not to implement best practices, it is to identify security issues which would have a negative impact on business operations and apply controls to manage those issues.

    Your scope is limited by your resources, certainly, but that should be part of the discussion with business leadership, and they should either accept the risk that things will be missed or correct the resourcing issue. If someone isn't haveing that conversation in your firm, beware.

    In this way, your team (however limited) will be focusing on the most critical areas of risk, your business will understand what is and is not in scope, and you will be empowered and accountable within that scope.

    That's my view, anyway.

Comments are closed.