Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Trust never sleeps.

Sometimes I get pushback from my users when I’m doing a risk assessment and want to examine the risk associated with a particular partner.  They frown and say, “They’re secure,” as if it were offensive that I should even ask.  Of course, an executive that says this has never performed an audit of this party’s networks, or asked to see the results of a pentest, or indeed made any effort to collect information to bolster this assessment.  He’s running purely on trust.

Lots of folks have explored the reasons why we choose to trust something in general; it’s part of our subconscious risk assessment engine.  So I won’t go too deeply into it, except as it affects me and my own responsibilities.

We tend to trust something that we have known for a long time.  An employee that has worked for us for 20 years; a vendor that has worked for us before; a barista we see every morning.  Because of our history of experiences with them in which nothing bad has happened, we rely on that prior knowledge to estimate a lower risk.

We also trust something that is well-known.  Big Three-Letter Vendor tends to get higher automatic trust than Bob’s PCI Shoppe. 

We trust something that we see everyone else trusting.  Fortune 100 companies can’t be wrong, right?

We trust something with which we feel an affiliation.  If those folks over there are Just Like Us, they must be okay. 

And finally, we trust something when we feel the anticipated benefits will outweigh the risk (that we haven’t examined all too closely, and won’t, because if we found something bad it would conflict with our need to get these great benefits).

All of these factors come into play when you’re trying to make a case for auditing a third party, or monitoring a user, or restricting access.  And it’s very hard to come out and confront this, because if you have a CEO who has friends over at this vendor shop, he’s not going to be too introspective about it.  People will look at you strangely when you ask for security testing of a product that people have been happily using for five years.  Especially if you’re the only one who has ever thought about security, you’re going to be battling a lot of human nature in the name of objectivity and verification.

Quoting Ronald Reagan helps sometimes.  That’s about all I can give you.

Posted by shrdlu on Monday, April 06, 2009
(5) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages