Why Alex keeps me up at night.
Things like this, that’s why.
And not just because he puts me in mind of songs:
(and yes, I can make references closer to this century)
but because his questions can’t be answered in a short comment.
When he asks, “What are you managing towards?” and gives some good examples of answers, my first impulse is to combine one or more of them and say something like:
“I’m managing towards just enough control strength to let luck take over.”
That’s dipping into Good-Enough-Securityland, where “good enough” is measured as “whatever keeps us from shooting ourselves in the foot.” This doesn’t sound at all noble, I know, and it’s not all cool like Andrew and the Metrics or even our Bayesian Homeboys, but to be real honest, my management doesn’t want to get to that level of elegance. They just want me to keep their names out of the papers, do the right thing by our customers, and tell them how much they should spend to achieve that.
I make it a point to remind them from time to time that we’re doing pretty well on the prevention and detection fronts, but that nobody is going to be able to stop a targeted attack. They’re reasonable folks; they understand this. They understand that you can’t control a threat, especially one that’s external. What I’m doing is working to prevent opportunistic attacks, and making sure we’re doing enough due diligence that a reasonable person would feel that our legal backsides are covered.
Managing to compliance is almost irrelevant to our security landscape. That would be like managing your accounting to compliance. Yes, you want to make sure you’re following the rules, but you sure wouldn’t manage your finances with the end goal of passing an audit. In fact, if you asked any CFO if he were “managing towards compliance,” he’d probably look at you funny.
Schneier’s extremely depressing and extremely true essay on why it’s so hard to sell security says it all. My bosses don’t want to get to “best” or “100% compliant.” They want to do better than the competition, but not radically so if it means incurring too much “loss” in the form of paying for security; they want to feel confident that they have done the best they can to put in reasonable controls. And then they want to forget about it and go about their real business.
Once a year, I write a report (oh, 40 to 60 pages’ worth) on what my section has been doing and what else I think we need to do to stay at “good enough.” And then my senior management sits down with me and we have a discussion to update what we think “good enough” means for us. If they want metrics to help them narrow in on “good enough,” they’re in the report. I tell them what I’m doing with their money, and if possible, I compare it to what our peers are doing. It’s one big “state of the union” talk, and it only lasts long enough for them to grok it, and then we’re done.
They get to spend the rest of the year feeling lucky.
Posted by shrdlu on Tuesday, June 03, 2008(6) Comments • Permalink •
