WARNING! LONG RANT ON THE NATURE OF SECURITY AND THE LACK THEREOF..
I have been trying to do IT Security for years. In the security field we have a lot of problems. The recent Target and Neiman-Marcus breaches are symptoms of security's problems. I tried to enumerate some of these problems in a presentation to SaintCon2013: https://it.wiki.usu.edu/UtahSaint2013Defense The problems include:
- Many of our institutional leaders avocate fake security instead of real security.
- We love secrecy, but secrecy is not security. Some secrecy is justified, but usually the bigger the community, the more damaging the secrecy. Secrecy does not enhance meaningful community security. Secrecy blinds security. Secrecy blinds the community. Secrecy isolates security from it's community. Secrecy favors the illegal over the legal, the private agenda over the public agenda, the attacker over the community.
- We love attack, but attack is not security. The skills required to effectively defend are very different from the skills learned by attack. Attack can inform defense, but that is the limit of it's contribution. You have to refine new skills to maintain an effective defense. Attack focuses on short term objectives. When immersed in the dance of attack and react, you lose sight of your long term objectives. If you base your defense on attack, you doom yourself to a lonely battle against insurmountable odds.
- Our biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.
Effective Security and Defense comes from the Future.
Security is a meaningful assurance that your goals are being accomplished.
- The details are transitory. But, without goals, security has no point.
- Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security.
- Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization.
- If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.
- We begin to create security when we teach Security folks how to support institutional goals.
The beginning of effective defense is to create community.
- Attack can be sharp and pointy. Defense must be deep and broad. The more people involved in Defense, the better. They must agree on purpose. They must be a community.
- Then the community must agree on it's most important goals.
- You have to write the goals down. Review them.
- The Community must be aware of it's priorities.
Without this, you have no idea who or what to defend.
The first and most important duties of security is to engage and motivate the community. Your first community will be your technical folks. But you must expand beyond them.
The second critical duty of security is to create, prioritize and maintain clearly articulated and agreed on community goals.
The third critical duty of security is to defend the goals against substitution, dilution or distraction. Only here at the 3rd layer do you begin to consider the lessons learned from attack.
Security is most commonly attacked when somebody convinces you to adopt goals that are not in your best interests. Being able to break security on demand is the holy grail of modern marketing.
Security IS possible. Effective Defense is possible. But you need to focus, plan, and prepare. Your actions must advance your goals. You must exist in the future. You can't just react.