Infosec can, at times, be disheartening. You look at Apple's #gotofail and you think - how did they manage to screw up the most fundamental and oldest security protocol on such a wide scale with such an old bug? On days like that it can feel like, if someone like Apple cannot get the basics right, what chance does an average company have?
But on the other hand, I see company after company, where the security teams are just getting started at looking at what matters - appsec, identity, data. New appsec teams with real tools, real budgets, and real mandates. In terms of actual defensive effort - its early days. People love to tell scary stories about threats and how defenders will always lose and how the problems are overwhelming, but I wonder if most of the problems we have are due to the fact we have not really tried to solve them yet.
Problems that are presented as intractable with all powerful opponents sometimes just need new efforts. Around 60 years ago, the air quality in Los Angeles, was awful, it was seen as an unsolveable problem but smog pollution dropped 98% in the last 50 years. Why? Cleaner fuel, cleaner cars, intelligent regulation.
A few inches of snow is enough to close down many US airports and delay travels for days. But over in Scandinavia, home of eleven months of winter and one month of darn poor sledding, you see track records like Stockholm's Arlanda airport where they have not had to close due to snow in 50 years. Oslo and Helsinki have similar records.
Think about that. It cold enough that planes need to be deiced starting in August, yet these Nordic airports have better success battling more hostile elements than Atlanta or Minneapolis. Why? Well one answer is they cared and they tried.
The snow plow drivers basically do not take breaks, colleagues run and hand them coffee so they can keep plowing without getting out of the plow. They take pride in their track record. They practice. Crews run drills against 20 different weather patterns. The airports do not use off the rack technology, they create purpose built tools and design equipment for their specialized requirements, the largest snow blowers in the world, capable of moving one ton of snow a second, and machines that can plow, sweep and blow snow simultaneously.
The Infosec industry has struggled to this point because its been dominated by a "Weather channel" mentality, romanticizing threats, raving about Snownamis. Despite our challenges, I think Infosec at this point is in a good place going forward, where like the smog war in LA we have recognized the problem. Like Nordic airports we are seeing companies revamping tools and processes and digging in for the next phase. Making an effort. As unsettling as it feels when a company like Apple has a bug as bad as #gotofail, its also worth thinking about what infosec may look like once the investments that many companies are making new security teams, tools and processes eventually bear fruit.
"...be aware that the market does not turn when it sees light at the end of the tunnel. It turns when all looks black, but just a subtle shade less black than the day before,"
-Jeremy Grantham, "Reinvesting When Terrified", March 2009
There is a lot to do, can't get started any sooner than right now. No such thing as bad winter weather, only opportunities to improve bad snow removal equipment, dysfunctional teams and processes.