Why? In French
I usually do not like to quote films. But once in a while I see an old quote in a new light. In the superbly geeky Matrix trilogy there is a very likable character called “the Merovingian” or “the Frenchman” which falls nicely into the stereotypical bucket of a hedonist philosophical french person (in reality, the hedonism cloud has long left Gaul land and has settled nicely on the far East, and as for philosophy, well, it is in French, you know…).
In the following discussion (from “The Matrix Reloaded”, 2003) the Merovingian refuses to give up the keymaker to Morpheus, Trinity, and Mr. Anderson:
Merovingian: The question is, do *you* know why you are here?
Morpheus: We are looking for the Keymaker.
Merovingian: Oh, yes. It is true. The Keymaker. Of course. But this is not a reason. This is not a “why”. The Keymaker himself – his very nature is a means. It is not an end. And so to look for him is to be looking for a means to do… what?
The Merovingian think deterministically. He believes in causality. He believes that there is a reason for everything and that the answer to all questions lies in having all historical data and mining this data to understand the cause and effect. His belief is useless for untangling the complexity of real life, but serves well in the security world.
Merovingian and Persephone
Technical security does not care about the “Why”. Why is irrelevant. A spyware is a spyware, a bot is a bot, and a virus is a virus. None of these have any reason to be on any network (with the sole exception of the quarantined research labs of security vendors and security researchers), and wherever they are found they are promptly disposed of. They are the online equivalents of rats in the kitchen: the cook chases them with a hatchet.
However, when attempting to secure the business it is the “Why” that is important. Why does the employee need access to Facebook? What is the risk associated with this access? And how does the security team empower (i.e. allow) the employees to do their job and make money – safely?
Why do employees leak data, need administrator privileges, or access websites? Well, in most cases it is to get their job done. Or to augment an employee 2.0 lifestyle with extracurricular activities. Whatever it is, it has a reason, a business process, or a habit behind it.
Without the “Why” business security is blind and can cause as much harm as good.
The Merovingian also said: ”I love French wine, like I the French language. I have sampled every language, French is my favorite. Fantastic language. Especially to curse with. Nom de dieu de putain de bordel de merde de saloperie de connard d’enculé de ta mère. It’s like wiping your arse with silk. I love it. ”
Couldn’t agree more.