Gartner's own John Pescatore has issued a 12 world post:
The best security program is at the business with the happiest customers.
Happiness? Really? That's the measure of program effectiveness? I would see those 12 words and raise them one word (13 if you're scoring at home):
There's a fine line between happy customers and playing piano in a bordello.
I mean the people running hedge funds and derivative books at AIG, Lehman and friends had lots of happy customers for the last decade!
To me the happy customer is a classic IT copout "we just did what the "business" asked". Like we're just a bystander or something. Its our job to create business value and be business like. We should seek to empower out customers, not make them happy.
Please understand I am not that guy who says IT security has to be the "bad cops" who deny everything the business wants to do. Just saying it is our job to raise the bar where we can. Raising the bar does not always create super happy customers in the short run, but it does empower companies.
Unfortunately, playing piano in the bordello is what a lot of security groups do and even big analyst firms. The path of least resistance ain't always the way. Here is an example. I was at a client many years ago, they wanted to build a big Identity Management solution, so of course they wrote a big RFI got responses from Sun, IBM, Oracle and friends. The bids were in the $3-5 million range. Pretty big projects for an Infosec team. So what do you do? Call up a big analyst firm and get some advice, right?
A week goes by and we get an audience with the "guru" from the Big Analyst Firm. The client has pretty detailed requirements, what systems they want to connect to, what use cases they are looking to solve for, and so on. We anxiously await the knowledge the analyst is about to transfer to us. His response was as follows - "what kind of shop are you? IBM shop? Oracle shop?" "Ummm...we are a huge company we have everything." "Well if you are more of a IBM shop you should go with them. If you are more of a Oracle shop you should go with them." That was the extent of a 30 minute conversation. True story.
Of course, the one value proposition of the Big Analyst Firms is that they supposedly can tell you what everyone else is supposedly doing. There is some value in this I grant you. And it does make for happy customers because even when you force your customers to change, you can say "Well geez, I know its hard but the Big Analyst Firm says that everyone is doing it." But is this security improvement?
Back in 2004, I went to a great security conference, it was Information Security Decisions (
they are back in Chicago next week). It was in Chicago, downtown on the river. Tom Davern even took us all out on a boat for lunch one day. Anyway, there was one truly great talk there. It wasn't Fred Cohen debating
Gary McGraw on application security which was outstanding (in which Fred uttered the memorable line "I agree with Gary everywhere he agrees with me." (Gary won the debate, his best line - "We know how to win the software security war, but we don't know how to manage the peace" still the problem today actually)) It wasn't Pete Lindstrom showing his security metrics framework (which is still a great starting point). it wasn't Dan Geer's fireside chat.
The truly great talk, though, was by the now departed
Robert Garigue. It was called "Its the End of the CISO as I Know It, (And I Feel Fine)." The whole end to end talk was wonderful, there are several things in there that I still use every single day like the separate security models for Infostructure and Infrastructure but the point I want to talk about is the CISO role.
Garigue talked about the two most prevalent CISO models - the jester and the bad cop. The jester CISO
Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?
The jester has happy customers! At least for awhile.
Again I grant you bad cop is not the way to go either (and while this already long post could read harsh on John Pescatore's pithy summary, I give him a lot of points for saying that security needs to be customer conscious).
We have all seen bad cop CISOs who
Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?
Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model
King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.
This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security
Knowledge of risky things is of strategic value
How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?
To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.
A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.
How long can developers evolve, connect everything and security people not change anything? Herb Stein said, "things that can't go on forever, don't. "At some point these chickens are coming home to roost, there is a yawning gap between rapidly evolution connecting the enterprise and the 13 year old and counting security architecture that "Everyone else is using" and when those chicken come home to roost you may not have happy customers then. Here is my 12 words:
The best security program is at the business with sustainable competitive advantage.