Is Security Broken? And How I Propose To Fix It

Dennis Fisher has a blog post entitled ‘The Security Game Needs To Change’ out on ThreatPost.  The premise of this post is that the practice of securing networks and applications is broken.  Then we have the CEO of RSA, Art Caviello, saying that security models are inadequate.

While I think Mr. Fischer and Mr. Caviello are correct in stating that security is broken, I think they have missed the point as to why it is broken and how to fix it.  Mr. Fisher quotes Jeff Jones of Microsoft’s Trustworthy Computing Initiative for his suggested solution.  Mr. Jones states, “What we really need is to get more smart people thinking about the problems we haven’t solved yet.”  Really?  Anyone remember the episode of ‘The Big Bang Theory’ where the guys try to help Penny build the multimedia system from IKEA?  Talk about available brain power.  Yet rather than assist Penny with the assembly of the unit, they go off on a tangent developing an over engineered and sophisticated solution for a non-existent problem.

That is where I believe information security is at today.  We seem to be like Don Quixote, off on tangents such as understanding the motivations of the enemy, anticipating the next attack and other windmill tilting.  We keep trying to adapt military approaches to a problem being conducted in a very non-military way.  In a true war, organizations would be investing in creating an offensive capability of cyber-armies to go into cyber-battle with the enemy.  And while there are discussions about organizations having offensive capabilities, security professionals are still in a defensive posture protecting the organization.

If we are going to fix security, then what we need is a serious paradigm shift.  If we will always be in a defensive posture, then the paradigm we should be using is the Fort Knox approach.  We focus on what information is important to our organization and go about the business of building a ‘Fort Knox’ to protect that information.  Once we begin focusing our efforts on protecting our organization’s critical information, we will find that the rest of our security tasks become much easier.  After all, Fort Knox is predicated on a defensive posture, not an offensive one.

I am sure a lot of you are asking, “So doing all of this will perfectly protect my information?”  Not even close.  As I consistently say, security is not perfect and never will be.  No matter how much we try, there will always be people involved somewhere in the process and people are fallible.  The concept is that if an incident does occur, you will recognize it quickly, stop it in its tracks and minimize its impact.  Will you lose information?  Hopefully not, but any information loss will not be significant because you recognized the problem almost immediately and dealt with it.

If you are frustrated with security, change your approach.  Until you do that, you will continue to have a broken security model.


0 Responses to “Is Security Broken? And How I Propose To Fix It”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


April 2012
« Mar   May »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: