A legitimate reaction would be, "Just what I need, one more blog about security." So, how is this blog different? Why should anyone care?
First, unlike most on this subject, this blog is not topical. While I may sometimes use a current report to illustrate an idea, this blog is not about what happened today. Indeed, in part, it is about "today not." It is not about the patch, attack, threat, or vulnerability of the day.
Rather, this blog is about a context and perspective in which to view and respond to the events of the day. It is about:
- Decision Making
- Management System
- Rules and Tools
It responds to my observation that security is a space in which intuition does not serve us well and in which rational thinking is difficult. There are many variables, some of which are un-identified. Even for the identified variables, the range of possible values, much less the exact or current value, may be unknown, or even unknowable. So, this blog will stress making hard decisions in the face of uncertainty.
The tools that we use to make these decisions include the language of risk assessment. We must keep these tools sharp and practice our skill in using them However, few security professionals, much less others, use the terms of this language (e.g., risk, threat, attack, vulnerability) in a consistent and mutually exclusive way. For example, when asked by a reporter to enumerate threats confronting the enterprise in the coming year, a famous security guru (in the literal sense of guru) quickly listed three vulnerabilities, novel, interesting (at least to the two of us) and totally irrelevant to the average enterprise. So in this blog we will practice the use of these tools.
Because this is such a hard subject to talk about, your feeback will be necessary and welcome.