Daydreams of Failure

Posted by Michael Starks on April 8, 2009 · Leave a Comment Print This Post Print This Post  

daydreamby Michael Starks

Fellow Catalyst Blogger Adam Dodge recently wrote about failure. In his blog entry, he muses about how failure can lead to increasingly better results. Fail better, he offers, rather than try for perfection.

What is information security if not the study of how systems fail? While consumers of information systems expect them to succeed, a seasoned security professional is looking for the obvious and arcane ways in which an apparently healthy system can fail.

When computer systems are patched, policies enforced and viruses quarantined, we presume to have succeeded. Yet when unsubstantiated rumors affect the company stock price, we relegate that failure to someone else. But the end result is the same: a system has failed and the company has been adversely affected.

Failures of computer systems are well understood in our profession, but failures of information systems are rarely as appreciated. Information takes many forms and the risk to information is not always at the end of an electrical socket. If a water line were to break, would that be an information systems failure? Certainly it is a failure, but who considers water line failures a risk to information? However, if the water line were to break and the office flooded, would the filing cabinets be affected? Are they full of original, historical documents?

What if the marketing team orders t-shirts with the names of all of the employees who succeeded at delivering a project on-time? This is great for morale. Is it equally as morale-boosting to a social engineer?

The evolution of information security will certainly involve a re-examination of how we define systems and how they fail. Freed from the bridles of IT, the future information security practitioner will look around the environment and start asking questions based on what he sees. He will see interactions between seemingly ordinary objects as creating ad-hoc systems, with information freely flowing among them. He will daydream and begin asking questions like, “What happens to the business if it gets 1000 bad reviews on Amazon.com? How does the elimination of the training budget affect our ability to retain veteran employees?” Or, to put things in a more recent context, “What would happen if the bank reduced our business line of credit?”

What systems do you see around you? How can they fail? How would a failure lead to harm for the company? Kick back your feet and stare at the sky for awhile. You might be surprised.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with ,

About Michael Starks
Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs. He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications. In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues.

Comments are closed.