I am happy to see that my friends at Cigital have started a blog called Justice League focusing on software security and quality. Cigital is one security company that has always recognized that pinning your security hopes on a magic device or widget does nto make you secure, rather rolling up your sleeves and engineering your code and processes to build more secure code is where you should be focused. Now some of my favorite Cigitalites have a blog to share their ideas with the blogosphere.
John Steven and I co-edit the IEEE Security & Privacy Journal column (started by Gary McGraw) called Build Security In. John blogs about Keeping up with the Jones'
Keeping up with the Jones’ Security Initiatives ... Over time my relationship with clients deepened, as did their maturity in software security. Their questions also deepened, getting more specific: “How far down the static analysis tool adoption path are my competitors?” I can’t see any way of answering questions this specific without giving away others’ competitive advantage, potentially exposing them to risk, or violating their trust (not to mention NDAs). Stuck wondering if I would be unable to provide further perspective, I began to question this perspective’s real value:“Is the Jones family really the goal?” I asked myself. Actually, I’m pretty sure it isn’t. Each organization’s security efforts should grow very differently from one and other. They’ll start at different places, sure. Not only that, but even if you tackle the same problem as your competitor chooses to tackle, the ‘optimal’ approach for each organization differs. Why? Because each IT shop grew up to support their business differently. Metaphorically both you and the Joneses have children—but both sets of children have very different special needs.
Exactly! This is a huge problem. Why does security oeprate differently from the rest of the business? Would your sales & marketing team just do exactly what you competitors do? How do you differentiate your company the? Would you invest in a stock because your neighbor did?
This is a big issue and barrier to enterprise's improving their security. A lot of it is driven from the reality that digital security is generally looked at as infrastructure. What do you mainly do in infrastructure? Keep costs down, keep the lights on, find things that are commoditized, and yeah, do what everyone else does. But here is the thing - now that businesses are decentralized, heavily (hyper?) integrated security is not just about infrastructure - it is about how reliable and resilient do you want your business processes to be? And, yeah, how much do you want to spend to get those qualities? Hmmm...tough questions...Let's ask Ms. Jones what she thinks.
So to move from more of an infrastructure focus and towards innovation, customers and markets, a different approach to information security is required. Education is key, as Robert Garigue pointed out, infosec and CISOs need to look at Charlemagne as a model. You can't outsource your homework to the Jones' kids.
Also, check out Scott Matusmoto's discussion on Built in or Bolt on security.
> “Is the Jones family really the goal?” I asked myself.
The reason that security people do what their competitors are doing is because they cannot explain what is right and proper. In such an environment, they have to CYA by doing _best practices_ which naturally emerge to be a standard set (it doesn't matter what the best practices are, only that they exist). Best practices secures the jobs of the security people, because there is nothing, apparently, better that they can do. Problem solved.
(I call this the market in silver bullets.)
The underlying problem then becomes one of knowing what security is and how to improve that knowledge. For this reason, secondary disclosure of breaches is very interesting; if we can disclose our breaches to our competitors, then our knowledge can improve.
Unfortunately, breach disclosure suffers from a prisoner's dilemma, as we only benefit if we all exchange the information, and we don't lose if we cheat.
Posted by: Iang (Market for Silver Bullets) | April 18, 2007 at 04:50 AM