Security's Everyman

Security's Everyman

Monday, October 15, 2007

Where are the leaders?

This is inspired by both my buddy Sun Tzu and Michael Farnum. Michael is a little down in the tooth over the state of security. It seems to all be about playing catchup and buying stuff. But are we getting anywhere? It seems that we are always a few steps behind the bad guys.

My handy dandy Art of War calendar quote for last Friday says "The lives of the people and the order of the nation are in the charge of the generals. The difficulty of finding good leadership material is a perennial problem."

Therein lies the problem. Leadership. We have leaders in security but mostly they are focused on their company issues or their own little area of expertise. What we need are leaders who lead from where they are and then move out into larger area and share their experience. We need people who aren't afraid to take chances and challenge the best practices. Much of our problem stems from the fact that we tend to lean too much on the concept of best practices. We say "Oh look we need to implement X solution because it is a best practice." We look at things and say "What best practice can we implement to address X issue?" We don't stop and think about where the problem stems from and what is the best answer for us instead of the best practice answer.

In today's world of regulations and compliance we are afraid to look outside of best practices for fear of having auditors question us. Those who don't worry about the auditors and worry about securing their networks and protecting their data in the way that is best for them are the ones who are the leaders. They are the ones who stay ahead of the bad guys instead of playing catchup.

So to answer Michael's question "Does Security Nirvana Exist?" No, but those who think and don't just blindly follow the crowd are a lot closer to it than the rest of the world is.


Rob Lewis said...

Actually, isn't Mr. Farnum showing a form of leadership by calling a spade a spade, by stating what the security industry actually is-a cash cow?

He is by no means the first; Ranum and others have been saying that bolt-on point solutions are doomed to failure, for years now, since the security model is inherently flawed. The industry continues to simply re-invent themselves in order to fail once again.

The herd mentality that delivers "best practices" also provides intrinsic self-protection, for who gets fired for following such best practices?

There is a possibility that the herd
also leads to group think, preventing anyone inside the herd from thinking outside of the box. Just look at the pushback over de-perimeterization.

To answer your question then, I think Chris Hoff has shown some leadership by leading the charge into some needed and hard-hitting discussion on such topics.

Andy, ITGuy said...

I hope that my comments didn't appear to be saying that Michael is not a leader. I know Michael and truly believe that he is a leader. He is not one to sell something just to sell it. If it doesn't fit he will tell the customer and move on.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.