On Techniques and Methodologies – Or the “Great Security Quibble”
Great craftsmen use tools to manipulate raw material into something great. Luthiers painstakingly select the proper wood for the application and work it into emotion inducing string instruments. Great chefs select great products and use various techniques to convert the products into something better. The better security professionals select the tools that will help them advance the state of security (of being secure) throughout their organization.
All this assumes great craftsment and professionalism in their art. Without a great Luthier, it does not matter how good the planes and cutters and bridge setter tools are. Or how long the Maple, Spruce, Ebony or other wood has been aged. The violin will just not sound right. Similarly, an awfulcook can take the best products and convert them to something that can be both disturbing and toxic.
Competent professionals work with determination and aplomb
An incompetent security professional can spend many resources on the wrong product and technologies. Even worse, the incompetent professional might lead their organization to a false sense of security (Which oddly reminds me of the famous Monty Python sketch about the “machine that goes ping” http://www.youtube.com/watch?v=arCITMfxvEc; I have this vision of John Cleese as a security guy saying ”we have this doohiky here and therefore we are secure – What? … Nah – Did we need to install it?”).
What sets apart the great practitioners and professionals from the incompetent wannabees is a keen focus on the issues at hand and a mastery of the techniques and methodologies prevalent in the field. Good practitioners understand the focus and know what needs to be done and execute, while the best professionals are able to understand the ecosystem of the current techniques and methods and extend their boundries in order to adapt to a changing landscape.
And yet I keep hearing and reading generic discussions surrounding security that are uprooted from any meaningful scenario (a time and place, and sensitivity to risk). Current topics I read about on a daily basis are the security of cloud services and the security of virtualized applications/platforms. I call these “security quibbles”.
Discussing these topics without planting one’s feet on the terra firma of a scenario is utterly meaningless. For example, lets review a current discussion topic of which is better: SAAS or Hosted Server or Hosted Virtual Image. Let’s try to avoid the standard silly audiophile style discourse (my Mark Levinson Amplifier sounds better than your Krell; there is more “air” around the resin of the violin) so, let’s say, that the data is the codes for the US strategic defence ICBM missiles. For this scenario, all 3 are equally bad. In fact, anything that is connected to any public network is too risky for this application (IMHO). What about a banner ad server for Google ads? Probably all three work equally well, perhaps overkill. Another part of the equation is the quality of your security team – better teams can better provide security for their organization.
It is the fad/fashion of the day and thus better left to such professional magazines as People magazine and the National Enquirer. It has no place in the security discourse.
Product selection processes are yet another such area that is prone to qibble mentality of generalities and fads/fashions. But sales of any sort (be it toys, game console, car, house, submarine, nuclear missile, plane, ECG machine, power plant, AV system or any other “large enough to be substantial” expense) is more a matter of psychology than a scientific method. As a result, in many cases where needs should drive product selection the opposite happens.
Outsourcing is another oft blogged entry. Outsourcing is neither good nor bad for security. It has its risks.
The security professional should stop thinking about technology trends as good-or-bad. But instead analyze the risk, identify the critical business factors, and make sure they are articulated properly to the decision makers/vendors. The different options will be layed out with the associated risks, and any suggested modifications to SOP (methods and techniques) should be highlighted. Similarly, critical business factors should then drive the selection of any products that should compensate areas of increased risk.
I will concede on one point. the security quibble is what keeps us interested. The security quibble is the pornography of the security world. When I get some time, reading security blogs is amusing and fun. But the best has got to be Bruce Schneier. His books sometime read like a “coming of age” stories, except for the security “spin”. The cryptographer ”coming of age” and realizing that the world is not perfect. To which I agree – it is not.