Everything You Know Is Wrong.
Nice article by mogull on why, even though IT security is a relatively new field, you still can’t be a revolutionary overnight.
We see this all the time in any complex field of study or practice. Someone from the outside, either left field or a related field, gets a really cool idea that they think is paradigm shifting. This person believes their outside view is “clearer” than those stuck in the tradition of their various area of expertise.
On very rare occasion such genius exists. But it isn’t you.
[...]
Some fields are more prone to, what I’ll call “exploding lightbulbs” than others. Physicists, cryptographers, and doctors battle this on a sometimes daily basis.
In other words, if you believe you have an absolutely right answer, you’re almost certainly wrong. As a great bumpersticker says, “Don’t believe everything you think.“ This dovetails nicely with eLamb’s discussion of the 10 types of security practitioner personalities (sorry, just couldn’t resist mixing my “in” jokes):
I’ve noticed that there are two types of security people: anal “type A personalities” who live every moment by the rules, and those that realize that there is no real security.
Actually, this dichotomy extends further than the security field. I encountered them on a daily basis as an American working in Switzerland. You can guess that a country where people have been seen scrubbing their roofs would be deeply concerned with appearance, order, form, and rules. Americans tend to chafe at anything that interferes with their right to make things up as they go along.
Me, I’ll sit vehemently in the middle. You do need rules, but you need to be able to adapt them when it makes sense to do so, and realize that they’re not absolute. If it’s one thing we humans are good at, it’s making rules and then promptly coming up with exceptions to them. This doesn’t mean the rules weren’t good; it’s just that hardly anything is immutable and universally applicable. If we didn’t work this way, we’d be robots; and it’s exactly why silicon-based systems can be so annoying to carbon-based systems.
I was talking with a peer from another organization the other day, and realized that the problem he was having was that he had to deal with an oversight organization that was seeing security in terms of checklists rather than risk. They were saying to him, “You don’t have X set up, therefore you’re insecure, therefore we’re shutting you down.“ (If that isn’t binary thinking on a massive scale, I don’t know what is.) I suggested that he come back at them and challenge them to tell him in quantifiable terms exactly what they were claiming his risk was in not having X. (I then sent him a copy of Jack Jones’s most excellent paper on FAIR to give him a leg up.)
The answer to an absolute statement is to ask “how much?“ That completely changes the terms of engagement.
So if you find a soi-disant expert who claims to have solved the whole problem of zero-day attacks, or will revolutionize anything in the security field, ask him to measure it. Chances are, either he won’t know where to start, because he doesn’t understand it himself, or he’ll make up the numbers, because he figures that worked for his idea in the first place. If you can get objectively verifiable numbers in the middle of the scale, then you may just have a winner.
Posted by shrdlu on Thursday, October 26, 2006
(1) Comments • Permalink •
