Robert Garigue died last month. I met him at ISD conference in Chicago in 2004 (I believe he was CISO at First Bank of Montreal at the time). I went up to him afterwards and said that his talk was right up there with anyone I had ever heard in terms of how insightful his thinking was, approaching age old problems in new ways, and all the different angles he had looked at the problem from, and most importantly how he made it all actionable. He was very humble and friendly, and we chatted for a long time. I regret that I never got to do any work for him.
The presentation he gave was called "It's the End of the CISO As We Know It (And I Feel Fine)". Slides are here. The issue that Dr. Garigue articulated as well as anyone I have seen is that Information Security is not just security or just information. I have the below slide printed out hanging above my desk for several years.
Most security people struggle with this concept, and try to separate these two concepts, and if they do, they miss two very important issues. First, they miss the opportunity to look at security as a business enabler. Dr. Garigue pointed out that because cars have brakes, we can drive faster. Security as a business enabler should absolutely be the starting point for enterprise information security programs. One excellent example of this is identity federation, which enables an easier integration across companies and technologies and puts stronger identity credentials on the wire in the process. Secondly, if your security model reflects some CYA abstraction of reality instead of reality itself your security model is flawed. I explored this endemic myopia in a series of posts on decentralization and security. JSB and John Hagel taught us that intgeration and friction cannot be separated, attempts to do so lead to confusion and disorder, and this is the heart of the issue Dr. Garigue's work is articulating. If your business and systems are decentralizing with both hands, and your security model is predicated on centralized, iron fisted control, then the only place your security model works is on the whiteboard.
I also learned an equally important lesson from Dr. Garigue which is how do you communicate and put into practices the concepts and designs, inside an organization? My partner Pat Christiansen likes to say that architecture is 50% technical ability and 50% communication. So this is a very important point. Dr. Garigue contrasted two historical models for CISOs. The two primary models will be instantly recognizable to IT Security veterans First the CISO as a court jester
Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?
Next we have the CISO as roadkill
Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?
Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model
King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.
Specifically, he points out this important mandate for IT security
Knowledge of risky things is of strategic value
How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?
These considerations put information security where it should be focused - not building castles and draw bridges - but as a key collaborator helping the business manage its risks, and helping IT build and run more secure systems with the ability to communicate the risk and design consdierations to both audience.
Two of his main focus areas align with my work and where I think security has the opportunity to make real progress. Web services and XML security enables security to build new models for delivering security services to their stakeholders, in Dr. Garigue's words
• Context is embedded in content
• Machine reasoning replaced rote calculation
• Taxonomies and ontologies combine with declarative logic and the autonomous learning of concepts
• Belief systems can be visualized and compared in time and space
And he avocated for developing and using security metrics which enable better signal to noise ratio in how we communicate results and progress to our stakeholders.
“Computers are epistemological exploration machines. They are means and ways to investigate the life cycle of knowledge. Right now, these ways and means are still simple but eventually, computational systems will construct valid theories and discover new knowledge all by themselves.” - Robert Garigue
Rest in peace.