Horseless Carriages and Whale Interpreters
This post was submitted to me via email from a good friend and colleague who understands the effort and wanted to continue the post I started yesterday. Someday we should convince Rich to blog with us on a regular basis!
Horseless Carriages and Whale Interpreters
Good progress. I thought you were going a different direction with the analogy of a horseless carriage. It does represent the relative unimportance of a name in the grand scheme of things. I do refer to my vehicle as a buggy, however… I think it also serves as a good analogy for the shift in fundamental thinking around security. The old way is comparable to the horse-drawn carriage - of security bearing the burden and dragging a resistant load across the finish line into a state of compliance.
The new, desired model is that of a horseless carriage, where the will and the means are one and the same. The model speaks to awareness, stewardship, integration, design for compliance, secure lifecycle, secure standards and solutions, and of a distinction between operational security (everyone doing everything securely) versus security Center of Excellence (Security as a function for compliance monitoring and subject matter expertise/leadership).
We all know as security professionals that our job as that horse is to put ourselves out of business and yet in all likelihood we will never succeed at doing so. We can, however, succeed in transferring more of that responsibility to our various stakeholders. In my mind, the era of firewalls being a “security product” is over - there is only secure network design and administration. The era of antispam, antivirus, and content filtering as security initiatives is over - the era of secure messaging has arrived. Same thing for application security and the need for software development to bring the people, process, and technology to bear that prevents vulnerabilities at the source, rather than as the result of costly security assessment and remediation process.
One of the lessons I’ve learned is that if you attempt to consolidate everything “security” into a single empire, you will simply fail. You CANNOT absolve people of their responsibility to do things securely. We see this now with the push for application security and the dollars spent on finding vulnerabilities through costly assessments that, in some cases, result in more revenue for developers to remediate the findings. You CAN arm the right people with the right information at the right time integrated into the right process with the right controls and expert consulting services. Lead. Engage. Align. Perform. If Cisco doesn’t have an exclusive right to the use of the word LEAP in the context of security, I think it captures the energy, direction, and significance of this as a global movement.
If there is a letter to add, it’s V for value. For too long we have been advocating security for security sake. At the end of the day we work for a business and we are here to enable the business to make money, securely. We need to make our security investment wisely. We need to continue to bring the tools to the table (such as Return on Security Investment or ROSI and threat modeling) that demonstrate that value. We need the metrics that support that we aren’t simply pissing away shareholder value to chase ghosts. On the flip-side, we also need to start burying the cost of security into everything we do, rather than rolling it up to a centralized security budget. If it is a separate and discreet security person or technology, or too immature to embed within operational security - roll it up. If it is a requirement and an integrated part of a business process - leave it be.
In closing, we need to develop stronger business acumen so that we can tell our story in business terms. The business still looks upon many security professionals as whale interpreters - on what basis can anyone not in the field refute our findings? (the whale just agreed with me, by the way). The ability to put a ping flood, phishing scam, salami attack, buffer overflow, or tcp tsunami (see, I made that one up) into relevant terms and actions that a business person can digest is still a soft-skill and hard to come by. We need career roadmaps for security professionals that develop these soft skills: communication, negotiation, and business acumen rather than the traditional focus on how to become the best damn whale interpreter in our field…
Editor: Thanks, Rich. Good insights and I really like the approach.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
RonW said,
November 21, 2006 @ 2:01 pm
Whale interpretor?! I’ve never been called that before. Better than the alternatives I guess.
Security 2.0 (or whatever it’s now called) addresses this in its third dimension - Preparing professionals to be successful.
I was speaking with a professor from a local university with an Information Assurance program. We agreed that security professionals need instruction in business, leadership and communications almost more so than they need it in computer science and mathematics.
“Oh the times, they are a’changin’”
Side note: I’m going to be speaking on this at RSA 2007.