Of course, some people do go both ways.
Saw this blog posting this morning on BlogInfoSec.com:
Slashdot Post On Security Ethics Demonstrates Professional Naiveness[sic]
wherein Kenneth Belva takes a frustrated security professional to task:
I wish this anonymous reader put their name to the article. Their statement above demonstrates their complete lack of understanding of the security process within a corporate environment from a political perspective.
Well, in the first instance, Mr. Belva demonstrates professional ignorance of certain words (it’s “naïveté"), and in the second, claims to understand “the security process within a corporate environment” without acknowledging the fact that the issue here is risk, not necessarily politics.
Read the original posting again:
“I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It’s truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?”
You could easily read this as someone who is overstating risk, or someone who is stating it accurately. It all depends on where you’re standing. If you’re on the left, you see it as being too far to the right, and vice versa.
This just underscores the need for an objective dialogue on risk, and a common taxonomy for everyone to use. (No, I swear I’m not trolling for more links from Alex and Jack; I really do believe this.) Everyone knows the situation where an auditor writes you up for allowing SSL v2 or some such silliness, and you just want to shake them by the lapels and say, “Why do you think this is a serious risk? Why is this serious enough to write up?”
So this situation could go either way—they really could be strong-arming auditors into reducing risk ratings on objectively serious issues, OR they could be giving the auditors plausible reasons to reduce the risk ratings. This is why we need explicit, written risk assessments that are open to discussion.
UPDATE
Mr. Belva was kind enough to notify me of his response:
I became aware of a post on Layer8 accusing me of being “professionally ignorant.” Unfortunately this individual will not allow people to comment on the Layer8 site unless one registers. So here is my reply to this blogger:
=============
I believe that naïveté and naiveness are synonyms and are both nouns, which means they are interchangeable.
Dictionary.com:
http://dictionary.reference.com/browse/Naiveness——-
naivenessnoun
lack of sophistication or worldliness [syn: naivete] [ant: mundaneness]WordNet® 3.0, © 2006 by Princeton University.
——-Here’s Princeton’s direct URL which basically states the same thing as dictionary.com:
http://wordnet.princeton.edu/perl/webwn?o2=&o0=1&o7;=&o5;=&o1=1&o6;=&o4;=&o3;=&s=naiveness&i=0&h=0#c——-
Perhaps a second post with a retraction is in order for your slander against me in regards to my “professional ignorance.”
Sure thing, buddy—I’ll retract my sarcasm if you actually respond to the main point of the post instead of whingeing about “slander.”
(Weren’t you doing the same thing when you accused the Slashdot poster of a “complete lack of understanding” as well as “naiveness”?)
(11) Comments • Permalink •
