Realsicherheit.
Been thinking more about why Hoff and I keep talking at cross purposes with each other. Part of the problem is that I am stuck in the daily position of having to make what changes I can to improve security that are supported by my management’s view of their risk. There are a whole bunch of things that I’d love to implement, but realistically speaking, I can’t force them through all at once. I have to plan which measures will take care of the most low-hanging fruit, which are least invasive to the rest of the organization, which I and my team have the most control over getting done, and which are least expensive (in real dollars, not FTE effort). I have to figure out what I can squeeze out of the budget this year, what I can realistically argue for next year, and what has to be put in now in order to have a firm foundation for new systems and applications. My security plan is multi-year, of necessity.
Every year, I can generally get away with asking for one or two major projects which involve forcing the development teams and/or the sysadmins to remediate their systems. This year, I have an outsourcing to contend with that I didn’t ask for and which is going to use up all those spare cycles, so I’m hosed there. I can buy three or four security products as long as they’re noninvasive (i.e. my team can set them up without requiring help from everyone else). I can put a few new standards in place that require developers and sysadmins to tweak what they have. I can change all the processes I want within my own team, and I can change a few more processes elsewhere as long as they don’t cost significant money or effort.
I suspect I’m not too different from other security managers in this respect.
I was talking to an acquaintance who is in the throes of setting up Security By Contract. The security levels he has to implement are part of the contracted service he’s providing. The problem is that his client isn’t anywhere near a decent level of security, and he’s not sure he can get them very far any time soon. So he’s wary of setting the security goals too high in the contract he’s negotiating with them. The client, on the other hand, wants to throw every security setting and the kitchen sink into the contract, because they’re afraid that later on they won’t get it if they don’t ask for it now. I don’t know how they’re going to solve this impasse. Security By Contract is a very painful way to manage and it has very little to do with risk management (unless you count breach of contract as a risk; it’s the main one they’re forced to focus on).
Hoff is being paid to be evangelical about security. That’s great. We need those in the business. I wish I could join in the fun; I’ll watch from the sidelines and cheer. But during my day job, I’m stuck with the limits set by my management’s view of their risk. If I want to improve security here, I have to do it either very, very cheaply, or I have to raise the level of risk my management is perceiving, so that they’ll devote more money to it—without resorting to FUD, which destroys my credibility.
Hoff gets to be the visionary (or “wisionary,” as my Swiss colleagues used to pronounce it), and I get to be the face of Realpolitik as it pertains to security.
Maybe someday we can meet in the middle and get together for a beer. He’ll have to buy, though, because he’s the one with the expense account. 
(12) Comments • Permalink •
