A colleague recently asked me this question. It’s vital, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.

But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.

Data as Property

Intellectual Property law does not generally treat personal information as property.¹ Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.² You can’t patent personal information,³ and it certainly isn’t a trade secret.⁴ In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.

However, data often behaves like property, and so it is treated as such. Like property, personal information has value. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. Next, like any form of property, personal information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency.⁵ And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.⁶

Some laws recognize that personal information has value. For example, United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters.⁷ Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. Even tort law says that some forms of privacy come from a trademark ownership of one’s name and likeness.⁸ And breach notification laws seem to assert that companies which collect personal information “own” it.⁹

Data as Self

But that isn’t the whole story. Unlike every other form of property, you can’t alienate personal information (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. Personal information is different from property, since property is presumptively alienable.

In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.”¹⁰ In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.

When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.

Data IS Self

In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the very term “Identity Theft” epitomizes the clash between the Data as Property and Data as Self theories of personal information: First, you have an alter-ego digital “identity” or Data Self; and second, your Data Self is subject to theft and abuse, like property.

Fortunately, the 13th Amendment ended slavery, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and we are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.

Aaron Titus is the Privacy Director for the Liberty Coalition, and welcomes feedback.

Footnotes

1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.
5. Identity Theft Resource Center, Press Release - 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
6. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
7. 2 U.S.C.A § 431(8)(a).
8. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);
9. See, e.g. Cal. Civ. Code § 1798.81.5(a).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Joe Coates

Picture this.  You get on the elevator and realize you are alone with the CEO of your organization.  He looks at you and says, “Tell me in 25 words or less what you do and why it is important to this company.”

What would you say?  Do you have an answer prepared?  Does your answer have words like “synergize” or “leverage” or other corporate vision-speak that means next to nothing?

As the current financial credit crisis spreads across the globe, it is imperative to your career that you give serious thought to crafting a Personal Unique Selling Proposition (USP) for your job.

So what’s a USP?  The term was coined by an advertising and marketing heavy weight named Rosser Reeves in his 1961 book Reality In Advertising.  I believe the idea was best described by Dan Kennedy.  He says your USP needs to communicate to your audience why they should choose you over all their other alternatives, including doing nothing.  So from a Personal USP perspective, think about why your organization should choose you, above all other alternatives, to deliver the results you are expected to deliver.

 Probably the most famous USP in recent history is Domino’s classic “Fresh, hot pizza delivered in 30 minutes or less, guaranteed.”  Domino’s chose to focus on their ability to get the pizza to their customers hot and in a half hour or less.  They never claimed the pizza would be any good.   And thanks to that USP, they sold a lot of pizzas that were not very good.  But they were hot, and they came pretty quick, and you didn’t have to go get ‘em. 

Michael Santarcangelo’s USP for his terrific book Into The Breach is his approach to protecting information by educating actual living, breathing, thinking human beings on how to consciously protect information.  So while the market is preaching from the gospel of “Technology Will Save You”, Michael’s approach is to say technology is necessary and useful, but ultimately not enough if the people responsible for protecting information aren’t aware of the potential effects of their actions.

So how can you create a personal USP?    This is a great mind mapping exercise.  Start by plotting out what you are responsible for, and how that impacts the organization you work in.  What organizations do you directly touch.  What financial impact your work has on the organization.  What would happen if your role was eliminated.

Take your time with this.  It is well worth the effort.  So much of the marketing we are exposed to on a minute by minute basis is focused on being cute and clever, not on delivering an impactful statement on what makes the product or service unique.  For inspiration take a good look around at Michael’s   Security Catalyst website and see how his positioning is so different from the rest of the IT security consulting marketplace.  Then, for the rest of the day really ponder the ads, power point presentations (UGH!), radio spots and TV commercials and notice if any of them communicate a unique message about what they are selling.  My guess is you’ll find less than 10% do.  More likely less than 5%.

In closing, remember what Thomas Edison said. Opportunity is missed because it is dressed in overalls and looks like work.  Do the hard work to develop your Personal USP.  Then deliver on it and see the difference it makes in your career.  

If you enjoyed this post, make sure you subscribe to my RSS feed!

If you have heard me speak publicly, you know I advocate that the role of a security professional is to make it easier for others to do their jobs - while protecting information.

To be clear, this does not diminish network security, network operations or anything of the sort. That directly supports my point: done properly, the network operates in a way that does not impose a burden on users.

While at the “Apple Festival” last weekend, we took time to visit one of my favorite exhibits - a museum of working, but retired, farm equipment. Much of it is from turn of the century through the 1960s. Some of the equipment was routinely used in the act of farming and other support roles until the 1980s and 1990s.

I can’t explain why, but I have always been drawn to pickup trucks, tractors and flashlights. So to see a working series of tractors far older than I is simply amazing. As a kinesthetic learner, I am immediate transported back in time - and allow myself to be fully absorbed in the moment. I love learning. Period. But I really love learning about history - and specifically how improvements shifted the way things were done.

That brings us back to security. I have a sense that many organizations have lost sight of what they do, what they provide. The recent break-in and burglary of our RV put us in contact with a lot of different organizations. The responses have been interesting- and illuminating. And when the emotion has had a chance to subside a bit, I’ll post a transparent account of what we learned. What I can share today is that many organizations have lost a sense of who they are, what they do and who they serve.

But it is not too late!

Last Sunday, I watched simple -yet powerful and impressive — machines in action. What struck me most was the fact these machines were designed and used to make it easier for people (farmers, in this case) to do their jobs. It allowed them to do more with less, expand their farms, provide for more people or make more money with the resources they had. These simple machines (especially by today’s standards) were powered independently, easy to understand, use and repair. Did I mention they still work?

In fact, these machines were so simple that my five year old could quickly and easily understand what they were, what they did and how they worked. Can you say the same about the way information is protected in your organization?

The more we travel, the more I meet with people who explain their elegant laptop encryption solutions, extravagant VPNs and others measures to protect information. But when I have the opportunity to work with the people upon whom these ‘solutions’ are inflicted, I find that the solutions were not designed and implemented with people in mind; as a result, it actually makes it harder for people to do their jobs. This brings the unintended consequence of further disconnecting people from their responsibility to protect information - and ultimately creates more risk that is more difficult to assess, measure and manage.

I wrote Into the Breach to present a straightforward solution that any organization can use to make an immediate difference in the way people protect information. We are launching the Protecting Information Program to provide the additional guidance, insight and accountability people need to make the shift. I look forward to the opportunity to meet and support your efforts to make the change and join me in the challenge to change the way people protect information.

Until then, when you can, go check out some old farm equipment - and notice how it made it easier for people to do their jobs. Then ask yourself a simple question: is the solution I am working on going to make it easier for people to do their jobs?

If you enjoyed this post, make sure you subscribe to my RSS feed!

Taking advantage of the beautiful fall weather this weekend, my family and I attended a local apple festival. It was an excuse to get out of the house, get some fresh apple cider donuts and have some fun on a beautiful fall day.

On the ride there, my children asked for some jazz on the radio and then called out the different things they ‘saw’ in the clouds. The list was common (trains, dinosaurs, bull dozers…) - and encouraged my wife and I to gaze up to “see what we could see.”

The ‘apple festival’ was held on some local fairgrounds that are well established, including some museums, pavilions, horse stables and a music amphitheatre (well, it has a stage and benches). The real gem of the day was the music and the freshly cooked food that was a little less than the picture of perfect health.

With a batch of fresh-cut French fries, we sat on some benches and listened to a jazz group entertain the crowd. When the fries were gone, I lay back on the bench and just looked up at the sky. The ride to the festival still fresh in my mind, I started to look for patterns. The first few looked like inkblots to me, then I saw some x-rays and finally, the imagination kicked in and I saw dinosaurs, alligators and a host of other things. Soon, then entire family was looking up at the clouds - in the middle of the festival around us, we celebrated the clouds.

For a few minutes, I was entirely in the moment. I absorbed the fall hue the sky took on, enjoyed the clouds and was content with the world.

Then it hit me - we allow ourselves to be so focused on the technology and the need for immediate solutions that we fail to take the time to let the clouds roll by. This leads to  vicious cycle where the so-called solutions actually create more problems. When we can step back and just let things be - we can see them for what they are. More:

• We can look for simple solutions; the ones that probably work best and require the least.
• We can allow our creativity to come through - and we certainly need more of that in nearly every aspect of life.
• We can relax, experience life and find common, but powerful, ways to connect with those around us - whether friends and family or our colleagues (which for some of us comprise our friends and family)

Technology has a place in our solutions. We live in a dynamic world with some interesting and often complex challenges. Such challenges require equally dynamic - but SIMPLE solutions. The way to get to simple solutions is to step back, gather, absorb, ponder, plan and test. This leads to the right requirements that generate solutions that work.

Want to develop better solutions? Then create better requirements. Here are three steps to get started:

1. Take time to first understand - then engage in conversation to reach a mutual agreement on what the end goal is.

2. Enjoy some time to ‘look at the clouds’ and test a range of ideas - creativity counts. Stepping back with a more complete understanding allows for better requirements, better solutions and less overall complication.

3. Document the requirements independent of the solutions and use them as a guide.

There are more steps - and I will be explaining and using them in the coming months as we take a closer look at the burglary of our RV - and how it has improved our planning and actions on a personal, family and business level.

While you have the opportunity - step outside today and look up at the clouds. If you can’t see trains, dinosaurs, dragons, roller coasters and a heap of other things, then maybe more cloud gazing is the answer for personal and professional success.

Continue the conversation with me

•       On twitter: http://twitter.com/catalyst
•       In the Security Catalyst Community (scc): http://www.securitycatalyst.org/forums/index.php
•       By email or telephone: http://www.securitycatalyst.com/contact.php
•       OnTour - heading back out in a few days: www.catalystontour.tv (and I’ll be updating the schedule and other information this week)

About Michael

Michael Santarcangelo is a human catalyst. An expert who speaks on information protection — including compliance, privacy and awareness that works — Michael energizes and inspires his audiences to change the way they protect information. His passion is contagious and approach gets results that shifts thinking and changes behaviors. Add the Security Catalyst to our organization today to get the results necessary for success.

If you enjoyed this post, make sure you subscribe to my RSS feed!

When it comes to protecting home computers, “Is freeware free?”

This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers?

I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why?

To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation.

Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience.

Get the report here: http://www.securitycatalyst.com/eGuides/Security-Catalyst-The-Hidden-Cost-of-Freeware.pdf

Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0

(and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole)

If you enjoyed this post, make sure you subscribe to my RSS feed!

Is freeware really free?

Threats change. Solutions evolve. We no longer only face viruses, but now must contend with a multitude of attacks and other “bad things.” Whether speaking from the platform or offering our “Building Your Family Safety Net” seminar, here are the most important five actions for home computer protection (we handle networking and other elements in a different segment):

1.     Install and use a personal firewall

2.     Install and use anti-virus (and other protections, like anti-spyware, etc.)

3.     Select and use good passwords

4.     Use a regular user account instead of the administrative account

5.     Backup (and test) regularly

After sharing the list, a common question asked is, “What programs and brand should I use to protect my computer? From the platform, I work to remain neutral on brands and explain that using the solution is what counts - by keeping the program updated. That extended to freeware solutions, too. After all, this was a way to remain independent and still provide value, right?

Turns out my education is in social science with an emphasis on applied economics. Along the way, I wondered, out loud, if freeware was actually free. Economically speaking - which makes more sense - paying for a solution or building a “suite” to protect a PC from freely available solutions?

I recently had the opportunity to step back, put myself in the shoes of a user and experience the difference between piecing together a freeware suite versus a paid solution. This was a chance to step outside of my own expertise and beliefs and approach the situation with a fresh mind. As a professional speaker, I questioned whether I should be staying neutral and agnostic, or if I could provide more insights to help people make a better decision.

My experience and findings actually surprised me - and shifted not only my thinking, but also the recommendations I make from the platform and when working with family, friends and groups of people. Keep reading to learn about my experience in learning that freeware isn’t free, and actually may cost more - and create more hassle - than a current paid solution.

====

Quick note: I will be releasing a podcast with more insights tomorrow, along with the final report from my efforts. Check back for links and insights tomorrow.

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!

This is a question that has been kicked around quietly, and now it is the focus of the August Security Roundtable. We are recording on Tuesday (pondering using a live-feed) and I want your feedback. 

Show Prep Outline

If you enjoyed this post, make sure you subscribe to my RSS feed!

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger - and more trustworthy - result.

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

If you enjoyed this post, make sure you subscribe to my RSS feed!

After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers. Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) — but it rather than building on the wheel, it often reinvents the wheel.

Note: this can be easily tested. With the new awareness of the trend, look for it during a meeting, workshop or even in the stream of answers given on a mailing list of professionals. In most cases there will be a flood of answers that *seem* correct, but lack references or links. While this is not always a bad thing, it often leads to confusion and complication.

While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most “security” professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better).

This is an inherent challenge –- and benefit –- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better).

In order to prevent the unnecessary reinvention of what already exists — and use time and resources to get better results — it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it):

1 - “Truthiness” Strikes Again!
If you have not (yet) watched The Colbert Report, “truthiness” is the term he coined, defined as:

“things that a person claims to know intuitively or ”from the gut“ without regard to evidence, logic, intellectual examination, or facts.” [http://en.wikipedia.org/wiki/Truthiness -- this is entirely worth the quick read and consideration]

There is too much “truthiness” in security today — inherent in the myriad of certifications, frameworks and solutions — and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others.

The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be “right.” Just because someone “claims it so” doesn’t make it true (even if it is written on the Internet).

Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of “fact”, but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 - hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result.

(Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if you’re not reading this regularly, you should consider it)

2 - Failure to Focus on Fundamentals
The value of pulling together a team of professionals lies in their collective experience. These experiences inform opinions that are important when used to explore or contrast fundamental concepts. The challenge is ensuring the opinions are couched properly and tied back to the appropriate fundamental concepts. All-to-often, fundamentals — which take time to review, distill and cite — are left by the wayside. People accept “close enough” as being “good enough,” when, in fact, it is not (well, except for horse shoes and hand grenades).

Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept “close enough” and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress.

Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion.

3 - group think prevails

“Groupthink is a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas. During groupthink, members of the group avoid promoting viewpoints outside the comfort zone of consensus thinking. A variety of motives for this may exist such as a desire to avoid being seen as foolish, or a desire to avoid embarrassing or angering other members of the group. Groupthink may cause groups to make hasty, irrational decisions, where individual doubts are set aside, for fear of upsetting the group’s balance.” [http://en.wikipedia.org/wiki/Groupthink]

Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively.

This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied - it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results.

Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners).

Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed.

Your New Wheel (wait, did you want a new wheel?)
What about personal pride and taking ownership of the solution?

While “ownership” is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions “not made here” (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in.

How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.

Technorati Tags: catalyst, comptia, fundamentals, groupthink, into the breach, trustmark, truthiness

If you enjoyed this post, make sure you subscribe to my RSS feed!