Dennis Fisher has a blog post entitled ‘The Security Game Needs To Change’ out on ThreatPost. The premise of this post is that the practice of securing networks and applications is broken. Then we have the CEO of RSA, Art Caviello, saying that security models are inadequate.
While I think Mr. Fischer and Mr. Caviello are correct in stating that security is broken, I think they have missed the point as to why it is broken and how to fix it. Mr. Fisher quotes Jeff Jones of Microsoft’s Trustworthy Computing Initiative for his suggested solution. Mr. Jones states, “What we really need is to get more smart people thinking about the problems we haven’t solved yet.” Really? Anyone remember the episode of ‘The Big Bang Theory’ where the guys try to help Penny build the multimedia system from IKEA? Talk about available brain power. Yet rather than assist Penny with the assembly of the unit, they go off on a tangent developing an over engineered and sophisticated solution for a non-existent problem.
That is where I believe information security is at today. We seem to be like Don Quixote, off on tangents such as understanding the motivations of the enemy, anticipating the next attack and other windmill tilting. We keep trying to adapt military approaches to a problem being conducted in a very non-military way. In a true war, organizations would be investing in creating an offensive capability of cyber-armies to go into cyber-battle with the enemy. And while there are discussions about organizations having offensive capabilities, security professionals are still in a defensive posture protecting the organization.
If we are going to fix security, then what we need is a serious paradigm shift. If we will always be in a defensive posture, then the paradigm we should be using is the Fort Knox approach. We focus on what information is important to our organization and go about the business of building a ‘Fort Knox’ to protect that information. Once we begin focusing our efforts on protecting our organization’s critical information, we will find that the rest of our security tasks become much easier. After all, Fort Knox is predicated on a defensive posture, not an offensive one.
I am sure a lot of you are asking, “So doing all of this will perfectly protect my information?” Not even close. As I consistently say, security is not perfect and never will be. No matter how much we try, there will always be people involved somewhere in the process and people are fallible. The concept is that if an incident does occur, you will recognize it quickly, stop it in its tracks and minimize its impact. Will you lose information? Hopefully not, but any information loss will not be significant because you recognized the problem almost immediately and dealt with it.
If you are frustrated with security, change your approach. Until you do that, you will continue to have a broken security model.