Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Realsicherheit.

Been thinking more about why Hoff and I keep talking at cross purposes with each other.  Part of the problem is that I am stuck in the daily position of having to make what changes I can to improve security that are supported by my management’s view of their risk.  There are a whole bunch of things that I’d love to implement, but realistically speaking, I can’t force them through all at once.  I have to plan which measures will take care of the most low-hanging fruit, which are least invasive to the rest of the organization, which I and my team have the most control over getting done, and which are least expensive (in real dollars, not FTE effort).  I have to figure out what I can squeeze out of the budget this year, what I can realistically argue for next year, and what has to be put in now in order to have a firm foundation for new systems and applications.  My security plan is multi-year, of necessity.

Every year, I can generally get away with asking for one or two major projects which involve forcing the development teams and/or the sysadmins to remediate their systems.  This year, I have an outsourcing to contend with that I didn’t ask for and which is going to use up all those spare cycles, so I’m hosed there.  I can buy three or four security products as long as they’re noninvasive (i.e. my team can set them up without requiring help from everyone else).  I can put a few new standards in place that require developers and sysadmins to tweak what they have.  I can change all the processes I want within my own team, and I can change a few more processes elsewhere as long as they don’t cost significant money or effort.

I suspect I’m not too different from other security managers in this respect.

I was talking to an acquaintance who is in the throes of setting up Security By Contract.  The security levels he has to implement are part of the contracted service he’s providing.  The problem is that his client isn’t anywhere near a decent level of security, and he’s not sure he can get them very far any time soon.  So he’s wary of setting the security goals too high in the contract he’s negotiating with them.  The client, on the other hand, wants to throw every security setting and the kitchen sink into the contract, because they’re afraid that later on they won’t get it if they don’t ask for it now.  I don’t know how they’re going to solve this impasse.  Security By Contract is a very painful way to manage and it has very little to do with risk management (unless you count breach of contract as a risk; it’s the main one they’re forced to focus on).

Hoff is being paid to be evangelical about security.  That’s great.  We need those in the business.  I wish I could join in the fun; I’ll watch from the sidelines and cheer.  But during my day job, I’m stuck with the limits set by my management’s view of their risk.  If I want to improve security here, I have to do it either very, very cheaply, or I have to raise the level of risk my management is perceiving, so that they’ll devote more money to it—without resorting to FUD, which destroys my credibility.

Hoff gets to be the visionary (or “wisionary,” as my Swiss colleagues used to pronounce it), and I get to be the face of Realpolitik as it pertains to security.

Maybe someday we can meet in the middle and get together for a beer.  He’ll have to buy, though, because he’s the one with the expense account. wink

Posted by shrdlu on Monday, October 22, 2007
(12) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Finally, a complete set of protocols!

Previous entry: One man's apathy is another's risk tolerance.

Comments

LonerVamp United States on 10/22  at  10:59 AM:

I erased my own comment on your last post and was going to make my own blog post on this, but have been busy. I think there are two perspectives. Some people discuss security in terms of their finite organization. Others discuss it in terms of the global state of security; more of a utilitarian or theoretical approach.

For instance, it might be my choice to use my seatbelt, but it is a more universal choice to require seatbelts in cars.

Likewise, protocol and overall strategy for global digital security is far different from the approaches someone takes to secure just their network.

Both approaches are valid and can have valid, yet clashing goals/ideals. It definitely helps to establish which perspective you have first.

rybolov United States on 10/22  at  11:31 AM:

Hi Shrdlu

As far as your friend with “Security by Contract goes, there are a couple of ways to work with it.  It’s exactly what the Feds deal with on a daily basis.  Just like the contractors, some of them are good at it, some are really bad at it.

Things that do work are “You provide the decision-makers, we provide the muscle” or “We will make the solution STIG-compliant with exceptions agreed to by you” or even “we will provide 3 FTEs to coordinate security activities and here is their WBS and scope”.

I have a couple more ideas, but um.... they’re trade secrets.

Christofer Hoff United States on 10/22  at  11:38 AM:

...and there you go!  You nailed it.

We did a podcast (Mogull, Amrit, Ryan and I) on Friday and I referenced a comment that Stiennon actually made which really highlighted the exact same issue you just raised...the day-to-day grind of being operational in a security role is different (and I’d say much harder) than being able to pontificate about how we’d like it to be rather than how it actually is.

When I was a CISO, I fell victim to this; it drove my boss crazy.  All the things I was doing were the right things, but the organization just couldn’t absorb it all at the pace I was shoveling it at them…

I think you’ve successfully arrived at the point where you’ve made the perspectives more clear.

I’ve told you once and I’ll tell you again, the beer’s always on me wink

Great post...I think I’ll follow it up with a bloggy on the subject so smooth it out further…

/Hoff

Ben United States on 10/22  at  12:34 PM:

I think you’ve done a good job encapsulating the discussion. What Hoff, Spaf, etc., were hitting on, I think, really seems more about the philosophical state of the industry than addressing the question “am I making a difference?”. It’s a situation I correlate to being an FTE vs being a consultant. When I’ve worked as a consultant, I’ve been able to take a purist approach to security, offering up ideals that should be adopted. Those engagements were typically measured in weeks, or sometimes months, but always within reasonable constraints on scope. As an FTE, your scope can be much broader, with a lot more cause for drift/creep. And, your timelines are more often months or years, not weeks. As an FTE, you have to be far more flexible, and you have to accept limited resources, and you have to accept that you’re not going to win every argument or get everything accomplished that you’d like to ideally accomplish.

rybolov United States on 10/22  at  12:36 PM:

And I was looking forward to the impending blogfight.  You guys disappoint me with your level-headedness and not-lack-of-manners.

I guess we’ll have to go get Alex and Bejtlich and throw them into a cage match over qualitative risk analysis. =)

shrdlu United States on 10/22  at  01:00 PM:

By the time Hoff got to the Internet-enabled chastity belt, I figured he could provide all the entertainment we need, all by his lonesome.

Guess that ability comes with being a wisionary wink

Christofer Hoff United States on 10/22  at  01:14 PM:

“...Guess that ability comes with being a wisionary”

Yes.  Yes it does.  That and a boatload of D-Cell batteries.

That is all.

/Hoff

Amrit United States on 10/22  at  01:52 PM:

You’ve summed it up nicely! I gave a presentation on “the evolution of vulnerability and threat management” at a Gartner conference in Australia and during the question and answer period someone noted “What you described is wonderful, and I don’t disagree with it, but it is really, really difficult to coordinate that level of cooperation between the network, ops, and security teams when we are facing so many day to day technical issues” I replied “Yes I know, I only have to talk about it you all actually have to implement it”

Rob Newby Great Britain (UK) on 10/24  at  04:29 PM:

I just wanted to see a British flag up here for a change.

Stop complaining and get on with your work, you wouldn’t hear this sort of complaint in England, and you certainly won’t get me agreeing with anything. :p

Christofer Hoff United States on 10/24  at  04:41 PM:

...that’s because they don’t “work” in England.  9 to 5 is merely a temporal
statis in between beer time, shagging and something involving pork products
in the morning.

You’re incapable of agreeing with anything anyway.  It’s in your Queens^H^H^H^H^H^H Genes.

Love, kisses and kicks,

/Hoff
(...I’m surprised they let you back on that bloody island after they deported you
to Spain in the first place.)

Rob Newby Great Britain (UK) on 10/24  at  04:56 PM:

You know I’m in Americuh in 2 weeks time?

If I get past security, you know where I’m heading first…

And what do you mean I’m incapable of agreeing with anything, that’s not true!

shrdlu United States on 10/24  at  08:01 PM:

Can you say “no-fly list”?  cool grin

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: