There are not that many fields that have to deal in such abstract concepts as infosec. Software is abstract to begin with and layer human's difficulty with risk on top of that, information security has to climb two mountains.
Believe it or not, Infosec people can learn some things from developers. For better and worse, Agile projects ship code. Developers have clearly embraced Thomas Carlyle: "Our main business is not to see what lies dimly at a distance, but to do what lies clearly at hand."
Security efforts often crash upon the rocky shore of the search for perfection, and cannot deploy until perfection is reached. For sure we have no shortage of security problems.
Here is where the current state of security can be used to our advantage as defenders. There is no perfect solution out there, in fact I will argue that even pursuing perfection is counterproductive, Butler Lampson talked about his review of field grade US Military security and how it is far worse than best commercial practice. The reason he concluded is that military security is determined by the NSA which is the crypto culture, its perfect or its broken. Perfect does not happen and so you just get broken.
The pursuit of a grand security architecture to rule them all is a fool's errand, but so is doing nothing. And due to the current state of security, we are in a target rich environment. Use that to our advantage - there is a ton that we can do to improve, and its not all 7 figure projects.
A good challenge is to find as many quick, dirty and cheap ways to improve your security. You'll be surprised how many there are. People look at buying all singing, all dancing authentication solutions, but what happens after login? Have you looked at how authorization works post login? Privileged users are in the spotlight, but before leaping to an uber expensive "solution", what about monitoring access? These efforts tend to create a lot more organizational momentum, and has the knock on effect of getting the security team out of isolation and into working with other Dev and Ops teams.
Agree wholeheartedly!
I often tell people: "if we solve 40% of the iceberg by fixing some basic technical or process stuff, that's 40% we don't have to worry about again". Whittle away at the iceberg.. Seems obvious, but it's not presented that way often.
Posted by: Brian | February 05, 2015 at 12:51 PM
As Ken van Wyck and Mark Graff like to point out, it's all about "good enough" security, not perfect security...
Posted by: David Mortman | February 12, 2015 at 07:59 PM