Security Pie

Last week Greg Shipley wrote a nice epilog in InformationWeek regarding lessons learnt from Albert Gonzalez data heist (http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=219501227). He observed that while we are all cavorting merrily at the prospect of the imminent “hanging” of this thief of “modern data horses”, we did little to address the concern of data security. From my perspective, the CEO’s of the companies involved seemed happier to participate in this modern “burning of the witch” then to address the lack of security for what I sincerely hope is not my data.

Similarly, Sharon’s last post discussed the lugubrious habit of equating encryption with security, with a complete disregard to processes, systems and people.

Well, security is getting to be pretty complex, and we humans, in complex situations, tend to flock to iconography.

Original icons are of the deity sort. But postmodern icons can be anything. Espresso crema, evil high fructose corn syrup, local produce, Ken Lewis lying to investors, reduction of carbon footprint.

Encryption can be an icon.
DLP can be an icon (in fact, DLP is fast appearing as an icon, albeit a useless one, on many a security and network products).

Since data security is a need, it can be addressed via a methodical evaluation of risk and rigorously balancing the business virtue vs. the risk of loss; technology becomes a facilitator of process and methods – a requisite part – but nonetheless just a part – of the solution.

Alternatively, it can also be addressed by installing a system of icons: a statue of ganesh, a road prayer, a hamsa, a statue of the virgin mother, a DLP solution, or an encryption solution will all achieve the same – and wanting – results.

For the security practitioner, icons are comforting: they own the latest, the highest performing, the best rated, etc. But unlike board members, who really account for nothing but their quarterly signatures, comfort does not alleviate the need to deliver. Owning the CD of a multi-million dollar high quality application is useless if you can’t afford the 10 servers it needs to run, the abundance of professional services needed for set up and the 100 administrators needed for it to run. All this while the board is waiting to decide if a sacrificial goat is needed.

This has occured in the past. The roads of security are littered with the carcasses of “ex security experts” who have expired when the icons of firewalls became technologies that had to be configured properly and maintained. Similarly, PKI took its pound of flesh to the security alter and raised it to the PKI as an icon gods.

Data security is already setting up to be the kali of the security world. On one hand, effective, business centric data security makes VPs. I know many system operators and administrators who became security and compliance VPs. Similarly, I know many who have been badly burnt by the data security goddess. Those are better off seeking a different employment (barista, perhaps?).

As for me? I am getting to taste the vice of pride, being involved in a market that is fast becoming the chopping block of mediocrity. Bring it on, icon peddlers!