There is no such thing as “information” security.
We are so accustomed to the buzzwords of this trade, that we sound like a broken record that plays those twenty-years old mantra without asking ourselves whether they still make sense or not.
One of those mantra is the Bruce Schneier-made-famous “security is a process, not a product”. Schneier, and rightly so, backed the idea that just buying hardware without a clear understanding of how to use it, was a useless way to achieve actual security. But, what a paradox, security is a process has been, and still is, the selling pitch of many (in)security vendors. Sure, the sold processes instead of products, but flawed one, nevertheless. Call 27000-1 for details.
While, as I told, I do agree with Schneier findings, there is something that he didn’t address when talking about security: the role of fear.
I’m not talking about the fear of being infected by a virus, lose data or being on the receiving end of DoS attack. I’m talking about REAL fear. The fear that possesses you at night, when crossing an empty parking lot you see a couple of men with something in their hands and aiming straight at you. The fear that paralyzes you when somebody, trespassing your personal space, spills a drop of blood from your neck with a knife, when asking for your wallet. Or the fear that freezes you more, while somebody beats you and you suddenly realize that he will not stop, no matter what desperate “orders” the brain gives the body.
But how does this affect information security? Just hold on.
To those who deal professionally with violence (soldiers, policemen, doormen) true fear is a good thing. Correctly exploited, fear keeps you alive: it teaches you how to avoid wrong behaviours and how develop a culture of preemption. Thus, instead of wasting time with self-professed “masters” that promise to teach you the “dead touch”, a fair approach to fear allows you to recognize the signal of upcoming violence, handle rage de-escalation and understand when (those rare occasion) is time to go berserk since there are no alternatives to a strong, violent and definitive reaction.
But when fear is mismanaged, for instance by inducing a false security pretense based upon the assumption “I do know ho to defend myself”, the actual consequences can be lethal. An example is the often given advice of “acting bold” so to send out a “macho” signal that, supposedly, should scare your potential aggressors. This advice is more akin to a one-way trip to the hospital or the cemetery, because certain violent actions are triggered exactly by these kind of “bravado” by the prank whose territory you just have “invaded”. On the contrary, being aware of the surrounding, handling distance and position from the potential threat and preparing “calmly” to react are not so visible behaviours to the innocent passerby, but very clear for the aggressor. He understands that he’s not going to face a defenseless prey so, unless he’s a psycho, will divert his attention elsewhere.
In the IT security field there are no such primitive sensations, thus it becomes complicated to chose the right security management model and – as a consequence – the product to purchase. To put it short: IT security managers do ignore fear. And this is not because of their boldness.
The fear-based marketing model enforced by (in)security vendors is based upon the rationalization of terror: do buy my backup service, so the customer won’t sue you. Do pay for my intrusion detection system so the Data Protection Commissioner won’t fine you because of a lack of security measures. And so on.
But this model won’t work, as showed (corporate politics aside) by the annoyed reaction of the IT managers. They feel security as a pain in the neck that only creates costs with no actual benefit.
A “true fear”-based security model, on the contrary, works better: I handle my network so that attacking it is dangerous and tiresome. This way most of the attackers-by-opportunity will move towards an easier target. Sure, there will always be somebody who targeted exactly “that” network. But they are much less and easier to spot.
Now the hard part: how to?
The answer is neither pleasant nor fit for our times, dominated by recipes, ten-commandment for everything, and social networking fast lips: train as much as you can to develop your instinct and become able to understand when something is going to go South. To have a glimpse of what I mean, have a look at Clifford Stall’s old book The Cuckoo’s Egg, where the author, former system administrator at the University of Berkeley was able to spot a German hacker by way of an inconsistency in the time-sharing billing statement, showing that somebody was using the computing power of the university without paying the dues.
Thus, as uncomfortable the statement, to be a good (“good” not “true”) IT security expert you do need to have spent a lot of time in the underground and bear the sign of this permanence. But you must do it for real, instead of reading Bruce Sterling, William Gibson or Neal Stephenson’s book, and then pretending to be “the real deal”. In this case, the most you can get is some invitation as a speaker to some boring institutional conferences, some “ICT expert” interview or a temporary lecture at some minor university.
Between the two archetypal there is the very same difference we can spot between a general that never saw a battle and another one that got his rank risking his life in the remotest places of the world.
I don’t imply, with this opinion, that only those who comes from “the life” can understand and practice information security. I’d rather affirm that:
- there ain’t no “information” security, because security doesn’t need specification,
- a security manager should be aware of both his skills and limits,
- (true) fear is a good counselor. Even when managing ICT services