Thursday, December 15, 2011

Security is about Efficiency

For the first thirty years I was in the computer security business, I often wondered what I was doing. I didn't have a product or a service. I did not have a customer. The computer was so sparse that it was not even important. Was I making a difference?

Part of me really wanted to go back to project management at which I was better than the average bear. The projects might not have made an existential difference but I knew that I had done them well. Satisfying.

Even today, I get discouraged. When I look at health care and see that safety and privacy are being used as an excuse not to automate health records, I get discouraged. When I look at the payment card industry, I get discouraged. When I look at SCADA, I get discouraged.

When I read about on-line banking being used to rip off another small business, non-profit, or municipality I get angry. I get angrier still when the courts and the regulators permit the banks to escape their fundamental responsibility to ensure that all transactions are properly authorized.

I have the good grace, not to say good sense, to be chagrined when I hear that another enterprise has been completely compromised because a user clicked on an obvious bait message, or even an artfully crafted one.

I am sad when I see that High School Harry Hacker has grown into the organized criminal of the day and is being recruited as a spy by governments all over the world. I am shamed when so-called "security researchers" publish exploits for obscure vulnerabilities rather than work-arounds for those that are being actively exploited. I am shamed when rogue hackers identify themselves as "security consultants" and claim that they are just trying to be helpful, just doing what security people do.

I feel a sense of failure when I see that US government security, the best in the world for decades, has all but fallen apart: that it mis-classifies. under vets and supervises, and over-clears. Under these circumstances Wiki-leaks is inevitable. However, Wiki-leaks might be tolerable if it were not typical, if the entire government was not such a large source of leaks of sensitive and personal information.

We security people are probably not unique among professionals for holding ourselves to very high expectations and being disappointed with our results.

In order to keep my perspective, sanity, not to mention my self respect, I have put a post-it on my bathroom mirror. I read it several times a day. It says, "We are not about perfection."

That's right. It is not my job to prevent all leaks and losses. It is not my job to make the world safe for democracy, or even the Internet safe for all applications. It is not my job to prevent all the Seven Deadly Sins, the motives for the things that we do wrong. I am not responsible for every unchecked input, much less preventing all the SQL-injection and buffer over-flow attacks that exploit them.

It is not my fault that the banking industry has consistently and persistently ignored my sage advice to confirm all changes of address to the old address and unusual transactions out-of-band, to change from mag-stripe and PIN to smart-cards, and to use strong authentication.

While I have to advocate that all Internet facing web applications should use the OWASP Enterprise Security API, I am not responsible for most failures to do so. While I am responsible for using every teaching and training hour efficiently, I should not condemn myself for failing to communicate the entire canon in an hour or not rationalizing all media coverage and political thought.

Our job is to make the world work better with us in it than it would be without us. Fortunately we have such leverage that that is not very difficult. While we do not make the world perfect, we make an existential difference.

As security professionals, we are expected to know that some losses are cheaper to tolerate than to prevent, some damage cheaper to repair than resist, that no matter what they think they want, no one really wants perfect security. We are expected to know that the cost of security curve is not linear, that to halve one's risk, one must double one's cost, that the better one's security already is, the less efficient the next dollar spent.

Our job is to ensure that all of the systems, applications, networks, and enterprises in our care get the protection that is appropriate to their sensitivity and the environment in which they operate, and that expensive security measures are reserved only for the targets that require them. Said another way, our job includes avoiding the use of inefficient measures. It is more about efficiency than effectiveness. If we prevent a loss or save the cost of a protective measure, in either case, the impact falls right through to the bottom line of the enterprise, the line called profit, the one that measures enterprise efficiency and contributes to the productivity of the economy.

Our job is to ensure that the sum of the cost of losses and the cost of security is at a minimum. That is impossible to know at any given point in time. It is a balancing act. It is not stable; it moves as the threat changes and the cost of technology falls. It takes both measurement and management to approach it over time. However, that is our job and our opportunity. That is how we make the world work better and justify our existence. If it were easy, they would give it to someone else.

Only when we rationalize our expectations of ourselves, communicate those expectations to our employers and clients, and measure ourselves appropriately against them, will we be satisfied with our jobs, appreciated as professionals, and paid the big bucks.

No comments:

Post a Comment