(This Post was written for ITWeb for the Upcoming ITWeb Security Conference)
A security guy talking about impending doom. How rare! Except I’m not talking about the next Botnet, virus or nuclear reactor destroying worm, I’m talking about the crisis of confidence that’s heading our way, and the fact that we seem completely oblivious to its arrival. We (in the field) have been building a house of cards, and some day really soon it’s going to come down around us.
10 years ago, the Infosec industry was in its infancy and we complained bitterly about the lack of management buy-in while we struggled to justify our existence in the corporate hierarchy.
In the mid 90’s we started getting taken seriously. Firewalls and security policies became a part of the corporate lexicon and security teams grew in size. For a while it seemed like the game had equalized, our efforts matched the threats of the day, but the threats of the day were pranksters and kids. We cried “Mission Accomplished” too early.
The threats evolved and the attackers became professionals while we started getting used to corporate meetings, Aeron chairs and TPS reports.
We kept whining though. We need more budget! Management don’t buy in! We were actually compiling our list of excuses for our complete and utter failure to achieve our objectives, and we have failed! Think it’s not that bad? Here’s a simple, sobering hypothetical I posed in a talk last year: imagine the highest value individual at your corporation. The guy who’s computer (and the data assets it touches) you would do anything to protect. Can you honestly say you can stop a determined attacker from compromising him?
For the thousands your organization spends on security, you can’t protect the one guy who is most valuable to you. Worse yet, would you even know if he was popped?
How ineffectual can we be? This problem compounds, because the company boards are now increasingly aware of the Infosec problem, but they are making the logical assumption that the teams of people they are paying, have the problem under control. They don’t know that we don’t have the answers yet, that many of us are resorting to hope as a strategy, hoping desperately that when the breach eventually happens, it won’t happen on our watch.
We find ourselves now in a strange position. The boards pay our (sometimes huge) salaries and send us to conferences and even though we occasionally whine, they assume we have the matter in hand. They think the millions of dollars being spent worldwide on penetration tests and anti-virus means that we could at least protect the CFO. We know we can’t but somehow, just never find the right opportunity to let them know.
The industry itself has become so incestuous, that we strongly resemble the investment banks just before the melt-down. Lots of money changing hands. Surface level checks and balances being executed by people with a strong disincentive to speak truth to power. Everything will hum along, until it won’t!
Everyday that we do not suffer the critical attack of our nightmares, is an additional day that makes people think the attack is less likely. As Taleb points the scarcity of the Black Swan event does not alter the likelihood of it happening, it merely makes the result more shocking when it does.
The board is going to be asking: “Isn’t that what we paid you guys to prevent?”.
There’s going to be some feet shuffling, some finger pointing, and some heads will roll.. honestly, I think we are going to deserve it!