That is a line from Bob Dylan's song "It's Alright Ma, I'm Only Bleeding" you can say the exact same thing about infosec. Sure there are security problems, but the funding for most security budgets weathered the financial crisis quite well. The real question is are those budgets directed on things that matter or is security bleeding?
Lenny Zeltser bangs the drum that Infosec needs to expand its toolbox, when all you have is a hammer, the world is a nail. When all you have is OPs and infrastructure skills and people, everything looks like an Ops problem. Hoff counters in rationally survivable way that skills needed to close the gap - architecture/design skills - are much harder and the transition is hard.
No argument from me that there's a requirement for a transition, but the Arch/Ops issue exists everywhere in IT. Logical DBA v Physical DBA, Developer v Sys Admin, and on and on. This is manifestly not a security specific issue.
No the real issue was summarized by Jeff Immelt the other day about the US as a whole "And I hate to be this blunt, but a country that builds things" Security absolutely must be in that business, get out of the ivory tower and get into the game of building things - which by the way involves rational tradeoffs.
Lenny Zeltser has an excellent suggestions for making the transition - business domain expertise, app/data security, usability guidance, tools, and yes mentality (as I like to say the business of enterprise security is business), this list is a great start, I would also add integration - infosec needs to get better at making things work in the real world. Be rigorous with your policies and guidelines - if you don't have a working example of a policy or guideline inside your organization - take it out, its wasting people's time if there is no way to make it work.
The pushback from Ops sec is usually- "well that sounds hard", but architecture, development and integration are not so much hard as they are different.
I remember a few years back I was working with a security manager who was building out an AppSec practice. He was looking for people and not having any luck. I said can a see the Job Req? He showed it to me and I said - "I can see the problem right here, you are asking for 5-10 years of security experience. Take that part out."
He looked at me like I was crazy. I said, "you need people who know how to build and ship things, people who are comfortable in a gray world that are used to coming in and making it slightly less gray than when they started, not black and white ultimatums like 'secure v insecure', building is all about compromise and tradeoff and indirectly reaching the goal."
Making changes is hard, but necessary. John Maynard Keynes points out “A sound banker, alas, is not one who foresees danger and avoids it, but one who, when he is ruined, is ruined in a conventional and orthodox way along with his fellows, so that no one can really blame him." Firewalls + SSL!
Its not to say that Ops and Audit functions that dominate infosec today are not important, of course they are, but by themselves they are just wholly insufficient to delivering security in the real world. Focusing on other domains like business, app, and data sounds hard, but its really just different. The industry does not have enough people who have crossed the 10,000 hour barrier.
Time for infosec to mature and not exist solely in the Ops bubble.
Update: Hoff posts some more analysis on the topic
Brilliant!
Posted by: Barak Obama | January 27, 2011 at 05:53 PM