Do we make a difference?
That’s really a loaded question, actually, because the answer could be both “yes” and be bad at the same time. 
Hoff is changing “security” to “survivability” and believes that will make everyone magically delicious^H^H^H^H^H^H^H^H^Henlightened and completely change the state of what we’re doing in our field. It’s been a while since I’ve seen someone go all Wittgenstein on our asses, but I wish you the best of luck, my friend. The Security Mike crack made me shoot blueberry cereal out my nose.
Do we make a difference? I don’t know about you, but I’m pretty sure I do.
Over the last two years at my particular organization I can see a team that has grown from three account administrators to a real security function, one that has completely revamped our network and security infrastructure (and D*Z), implemented log consolidation and an internal CA, has rolled out whole disk encryption for laptops, and is responsible for fixing dozens of serious application security flaws. Every time a user emails me and says, “I saw a suspicious email message in my mailbox, and thought you should know about it,” I know I’ve made a difference. Every time a sysadmin comes to see me and says, “There’s something I think you should look at” or “I really think we need to fix this,” I know I’ve made a difference. Every time we stop an attack through preventive measures, I know we’ve made a difference, because it would have gone like a hot knife through butter two years ago.
The rules of the game are completely different from what they were ten years ago. As an ISO ten years ago, I didn’t need to worry about SOX, Basel II, GLB, or Patch Tuesday. You could run servers with an uptime measured in hundreds of days without any problems and without any upgrades. We had just unveiled our first public website and done our first formal pentesting. We were convinced that log consolidation and normalization was a good idea but didn’t know how to do anything except roll our own. My biggest enemies were floppy disks and modems. (I’m sure Arthur remembers more about this time than I do, seeing as how he’s younger.)
Yes, a whole lot of discipline has disappeared from IT, and sometimes it seems like we’re the last bastions of it. (Bastions? Bastiges?) I’m not a smart person, so I’m waiting for the Enlightened Ones like Hoff and Spaf to tell me what I should be doing differently (besides thinking, in terrible grammar). As soon as they tell me what I can do to fix the world I didn’t make and have to live in, I’ll be all over it.
But I’ll still be calling it information security.
on 10/18 at 02:08 PM:
This would be a bad day to ask me that question :-(
That’s right, rub it in
Unfortunately I don’t think changing the name will change my odds of making a difference. Enough of me sulking on your blog; I’m off to the garden to eat worms…