Layer 8

PS - The site lets you comment just fine without registering; your comment is simply held for moderation.  Any “astute security practitioner” would be able to tell the difference.

I posted my own comment over there, and I had already posted a big ramble on Dan Morrill’s blog post the other day on this topic, so I won’t rehash anything here other than to say this is much ado about a very vague post on Slashdot, and a lot of “my way is the correct way it should be for EVERY company [fist pound on the desk, hair suddenly displaced at the motion, growing a little aroused, christ I need a drink, damn I’m good]!”

I have to agree, though, that “naivete” should be the proper word. “Naiveness” is simply awkward. It feels as wrong as “recieved.”

Guys, what are we doing?  Arguing with Slashdot trolls is the gateway to insanity!!!111oneoneone

slan·der (slăn’dər)
n.

1. Law. Oral communication of false statements injurious to a person’s reputation.

AS OPPOSED TO:

li·bel (lī’bəl)
n.

1. A false publication, as in writing, print, signs, or pictures, that damages a person’s reputation.
2. The act of presenting such material to the public.

I get so sick of explaining this that I forget what the original point was.

The “Senior Security XXX” author is caught in a dilemma in which he loses either way. Let’s assume that he works in an Enron and things are as bad as he describes: SOX provides a line to the board of directors for whistle-blowing. He should *know* that as a security professional — senior or not — working in a publicly traded company. If he doesn’t know this, he’s naive. If things are not corrupt like Enron but he’s describing them as such, then he doesn’t understand the political process. Again, naive. He loses either way.

I actually dusted off my /. UID (8916) and posted a response there. 

http://it.slashdot.org/comments.pl?sid=523768&cid=23087896

Where most people are going to dislike my answer is that I don’t see the problem at that organization being the executives, but the security professional.  (ducks)

Dan Geer summarizes a difficult problem with a simple question “Are we secure enough?” Now many security professionals read that sentence and see “Are we secure?” and miss the “enough” word.  Unfortunately for you (unless you create your own budget with a blank check), you don’t get to decide what is “enough”.  That is the realm of the data owner (for you CISSPs out there).  Our job is to give them enough information so that *they* can determine what is “enough”, (and frankly - you probably don’t want that job).

Where most Security folks have an issue with that arrangement is that if there is an incident, it’s their butts on the line, not the executives.  There are really two answers to this delima:

1.) It’s business, that happens.  This isn’t much different than sales people being fired for missing quotas even though the problem is in marketing.

2.) That’s why you should really be fighting, hard, to do good risk analysis and have a sign-off process that transfers what risk you might have in the “accept/address/transfer” decision to the Line of Business owners.  Your function is report and implement, not own. 

So Dan’s question is very similar to the question that Jack has posed - “Is the current risk we have within the risk tolerance of our organization?” Our job is to accurately express the risk, and then adjust the current state of nature based on Mgmt’s answer to that question.

Where Ken’s answer to the /. poster falls apart is he appears to automatically “know” the risk tolerance and risk state of the organization and suggests running to the government. 

However SOX doesn’t get specific about a risk tolerance/current risk ratio.  Even in the most mature of the Global 2000 (and you have to go there because of Basel II) I don’t recall that there is anything particularly prescriptive about risk tolerance for operational risk that can be applied across the board to organizations across national boundaries.  Credit and Financial risk is getting attention, to be sure, but the amount of set asides based on operational risk is up to someone’s (the executives and board) discretion.  SOX only really applies where an organization acknowledges risk, says it is answering the risk in some documented way to shareholders (some financial set aside), but in reality is not answering the risk at all. 

That is a different animal than whining about not having political capital with the executives.

Hi Alex,

You write:

“Where Ken’s answer to the /. poster falls apart is he appears to automatically “know” the risk tolerance and risk state of the organization and suggests running to the government. “

I neither:

1. appears to automatically “know” the risk tolerance and risk state of the organization, or
2. suggests running to the government

Second point first: SoX requires a path to the board of directors of the company, not the government. I never proposed going to law enforcement. Although, if the SoX whistle-blowing does not yield results, law enforcement would be the next step if one is a whistle blower.

Onto the first point: I focused on the following descriptions: “turn a blind eye to blatant security issues”, “reduce the risk ratings of internal findings,” and “strong-arm 3rd party auditors/testers”.

These are human issues: turning a blind eye and strong-arming are descriptions of corruption. No? I could be mistaken here. If you agree that these are human issues that deal with corruption, discussions of “risk tolerance/current risk ratio” or “a common taxonomy for everyone to use” (such as shrdlu describe above) become irrelevant because people will just slide around those as well if they are corrupt. That’s why shrdlu’s reply to me is stronger on the sarcasm than on any real security point. 

OK… Lunch is over…

Ken

PS - A solid risk taxonomy would be great, but that’s not the focus of the slashdotter’s post.

Well I think you’re all great. I love all of you guys and I can’t pick a side here. I think you’re probably arguing over semantics though (that’s words, not the anti-virus company) <-- look Mum, an IT Security joke.

I just want to give you all a big hug and teach you how to speak proper English. Like what I do.

Ken,

You’re right.  Neither of us have enough information.  It’s entirely possible that the management there is corrupt and criminally negligent.  I also think it’s entirely possible that the security department is not aligned with the organizations risk tolerance, as the symptoms described suggest. 

I apologize, I jumped the gun by assuming, based on my experience, that the latter occurs much more frequency than the former.

@Alex

No worries and the apology is beyond generous. Debate is part of the territory when discussing this stuff via blogs. We all have our opinions that should be respected. One also needs to be able to give and take with this stuff. I do my best to keep everything professional and above board, but there are plenty of others who do not (and cannot). It is rough out here, but that’s the way it is in any public forum when you put your ideas out there. Also: no risk, no reward!

I usually forgive all. Although, I find meaningless, sarcastic libel without an rightful apology slightly more difficult (but certainly not impossible) to forgive.

@Rob

It is libel in this instance, correct?

Kenneth, thanks for the laughs.  No need to forgive what you perceive as “meaningless, sarcastic libel” since I don’t perceive it that way, and you don’t appear to understand that people *can* perceive “blatant security issues” in different ways.  (Hence the need for objective risk assessments.)

Has the anonymous slashdotter forgiven *you* yet for your insulting tirade against him?  Have you apologized to him?  Didn’t think so.

Dude, get over yourself.  You wrote a stupid article and you were called on it; if you really were “able to give and take,” you would take your lumps and move on.