Information Security: Deader Than a Door Nail. Information Survivability’s My Game.
This isn’t going to be a fancy post with pictures. It’s not going to be long. It’s not particularly well thought out, but I need to get it out of my head and written down as tomorrow I plan on beginning a new career.
I am retiring from the Information Security rat race and moving on to something fulfilling, achievable, impacting and that will make a difference.
Why?
Mogull just posted Information Security’s official eulogy titled "An Optimistically Fatalistic View of The Futility of Security."
He doesn’t know just how right he is.
Sad, though strangely inspiring, it represents the highpoint of a lovely internment ceremony replete with stories of yore, reflections on past digressions, oddly paradoxical and quixotic paramedic analogies, the wafting fragility of the human spirit and our unstoppable yearning to all make a difference. It made me all weepy inside. You’ll laugh, you’ll cry. Before I continue, a public service announcement:
I’ve been instructed to ask that you please send donations in lieu of flowers to Mike Rothman so he can hire someone other than his four year old to produce caricatures of "Security Mike." Thank you.
However amusing parts of it may have been, Rich has managed to catalyze the single most important thought I’ve had in a long time regarding this topic and I thank him dearly for it.
Along the lines of how Spaf suggested we are solving the wrong problems comes my epiphany that this is to be firmly levied on the wide shoulders of the ill-termed industrial complex and practices we have defined to describe the terminus of some sort of unachievable end-state goal. Information Security represents a battle we will never win.
Everyone’s admitted to that, yet we’re to just carry on "doing the best we can" as we "make a difference" and hope for the best? What a load of pessimistic, nihilist, excuse-making donkey crap. Again, we know that what we’re doing isn’t solving the problem, but rather than admitting the problems we’re solving aren’t the right ones, we’ll just keep on keeping on?
Describing our efforts, mission, mantra and end-state as "Information Security" or more specifically "Security" has bred this unfaithful housepet we now call an industry that we’re unable to potty train. It’s going to continue to shit on the carpet no matter how many times we rub it’s nose in it.
This is why I am now boycotting the term "Information Security" or for that matter "Security" period. I am going to find a way to change the title of my blog and my title at work.
Years ago I dredged up some research that came out of DARPA that focused on Information Assurance and Information Survivability. It was fantastic stuff and profoundly affected what and how I added value to the organizations I belonged to. It’s not a particularly new, but it represents a new
way of thinking even though it’s based on theory and practice from many
years ago.
I’ve been preaching about the function without the form. Thanks to Rich for reminding me of that.
I will henceforth only refer to what I do — and my achievable end-state — using the term Information Survivability.
Information Survivability is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure
that the right people get the right information at the right time.A survivability approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. Survivability expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders."
This is what I am referring to. This is what Spaf is referring to. This is what the Jericho Forum is referring to.
This is my new mantra.
Information Security is dead. Long live Information Survivability. I’ll be posting all my I.S. references in the next coming days.
Rich, those paramedic skills are going to come in handy.
/Hoff
In the words of the Smartest Guy In The Room:
Security is over and we're all going too stale.
(Good seeing you at Beansec tonight….)
Hey that sounds fun. Good luck changing the name of your blog.
How about "resiliency"? =)
Basically, we have a trickle-down problem from IT in general. The overall state of IT is "ganked", so security^wsurvivability is "twice as ganked". And yes, that's the technical term.
The Changing Winds of Information Security
Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I'm obsessed with not only questioning everything, but also asking the…
Let's use "assurance" instead so we can meet monthly at BeanAss.
Ptacek has suggested BeanSurv…
What have I done!?
"Information [Security] is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.
A [security] approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. [Security] expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders."
Changing the words may feel good, but I don't think you've really made any underlying changes that will ultimately make you (or others) feel better about the profession? I mean, I can really define "Information Security" with your Survivability definition, no?
I think the proper approach is to change our goals and measurements. We won't solve Information Survivability ultimately any more than we'll solve Information Security…at least not without changing the goal from being absolute victory to something more attainable. Until humans and all our fallibilities and vices are gone, we can't win this.
Perhaps catalyzing that change by changing terms is a good thing, but I think the real effect comes from changing the goals, not the name.
The Changing Winds of Information Security
Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I’m obsessed with not only questioning everything, but also asking the…
Honestly I can't tell the difference between your description of information survivability and how most large organizations look at information security – I must assume you are ranting for rantings sake due to a lack of inebriation which has driven the part of your brain that normally allows you to smirk off the small stuff into the dark shadows of your intellect.
Your definition matches nearly word by word ISM3's definition. Nice to see more people joining my personal view. From ISM3: "Traditionally, to be secure means to be invulnerable (resilient to any possible attack). Using ISM3, to be secure means to be reliable, in spite of attacks, accidents and errors. Traditionally, an incident is any loss of confidentiality, availability or integrity. Under security in context, an incident is a failure to meet the organization’s business objectives."
@Amrit:
If I could find my intellect, perhaps it would, in an odd sort of Peter Pan-ism, have a relevant shadow. At this point, I'd suggest the only parallel that exists is that I refuse to grow up…
In terms of your statement, please go ahead and remove Financial Services from your example and requote the scope of the supposed "large organizations" who manage risk in this manner.
I maintain, as I will speak to you about later, it's approaching asymptotic to zero.
FiServ folks "get" managing risk — all sorts of risk and their intersection. "Most" companies, per my observation over even the last 3 years, are completely disconnected when discussing and articulating risk and showing value between their "security" initiatives and the business.
I'll leave the rest of what I would respond with to your podcast and some follow-up posts I am writing…
Suffice it to say, I think that the one in "neverland" is you. 😉 Heat that tick-tock, Captain Hook?
Later alligator.
/Hoff
I think the only parallel between you and Peter Pan is you both like to wear tights and hang outside the window of little kids bedrooms – but I digress 😉
The problem is one of perception and who you talk to in an organization, when IT operations teams run security operations then the organization is more aligned with your definition of information survivability. When you to talk with IS folks they will tell you something completely different about the state of security in that same organization because they come from the risk/threat view. Let's talk about financial services, which for the most part have operationalized desktop security under the IT ops groups – they clearly align themselves with your definition of survivability and do not become clouded but the threat/vuln du jour. You talk to the security folks in these same organizations and they will paint a morbid picture of the end times and yet 99.99% of all financial services company meander along doing quite fine increasing revenue and decreasing revenue independently of the utter confusion security tosses their way.
Suspicious Minds (Were Caught In A Trap)
My friend Mogull seems to have the blues. Hoff and Shurdlu give us their opinions. As for me, I tend to agree more with Shurdlu than Mogull. Imagine if IT were unionized. And the Union said that only CISSPs or security professionals were allowed…
GRC – To Be or To Do
GRC (or Governance, Risk Management, and Compliance for the uninitiated) is all the rage, but I have to say I think that again Infosec has the wrong focus. My problem with making GRC the central part of Infosec programs is best summed up by Charles Har…