From Stephen Northcutt's remembrance of Hal Tipton:
I was asked to work with NASA as part of the getback into space after the Challenger disaster. The project culminated with a series of briefings to senior management and I did one onsecurity. In the evening there was a mixer. Hal came up to me, pushed his finger into my chest and said, "You have no idea what you are talking about!" OK, I thought to myself and waited. Hal continued, "Your job is just like the loss prevention officer at Kmart. You can't protect your organization from attack, the best you can hope for is to keep shoplifting to a low enough level that they do not close the Kmart." At the time I was a bit offended, but as the years have gone by, I havecome to see the wisdom of his point of view.
This mindset gives the right business context on how to look at security issues, especially in terms of survivability. I would further add one clarifying quote from Roger Needham (talking about systems back in the 1970s):
Going all the way back to early time-sharing systems, we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.
The world changes, but in Infosec not so much, eh? So combining these two thoughts the right mindset combination is a Loss Prevention Officer at a Kmart located in a violent slum.
Comments