I was having an interesting conversation on twitter with Mr. Jeff Man this morning about the state of the infosec world. Mostly about our lack of true understand of risk, and how we have become one of our own biggest problems.
It all started with a tweet from Jeff, ” A vulnerability is one part of the risk equation, but not the only variable. Do we spend as much time on the other variables? #“. Throughout the discussion we talked about understanding the variables in risk management, which in the end is what security really is.
We all know nothing will ever be 100% secure. We have learned about formulas for figuring risk. We realize that we have to use intuition on this formula at times. Do we really understand that upper management looks at the monetary figures more? In a different way, look at the credit card companies here in the U.S. They have lagged behind moving to chipped cards, and still don’t require pins for those chips, even though they are more secure. The risk equation to them points out that they save money by paying out for breaches, instead of requiring the higher priced safer technology. Don’t take the initial hit until you have to. This same principle I remember being described as Japanese manufacturing principle. Figure out what percent of items will not be at proper specifications (returned due to defect). Build in part of that cost into the price, and if the overall cost of returns becomes too high then worry about a recall and redesign. Don’t fix it unless absolutely needed.
Once we grasp this idea, and I mean truly grasp and understand it, we can work with it to our favor. It might take longer term projections, or showing how the brand could be impacted with bad PR (according to some in marketing no PR is bad PR). The issue with us grasping this becomes more cultural though.
The vast majority of us are techies. We are the geeks, the nerds and we love being that type of person. We hyperfocus on the hard problems and ignore or shove to the side the stuff we don’t want to deal with. This though not only affects risk assessment, but the future of the infosec community.
Our community is young still in some ways, but has been getting a lot more rigid lately. Look at what we deem good certs vs. bad certs. How we accept different ideas in, and how we learn. Each year I see more of a divide in certain areas. Training, top notch training, is affordable through your work, if you are lucky, but to do it on your own. $5,000 is a lot of money to shell out, especially for the new people in our line of work, or those looking to break into it. Yes there are things like Cybrary and ITProTV with lower cost, online training (both on demand and virtual classroom). But that $5,000 is in person, hands on, focused training. It is the GIAC, which is a great cert. It is how to get people up to speed and on the same page. It can be a barrier, to entry at worst, but to advancement at the minimum. We as a community have to help ourselves out better with training.
See how thick the forest starts getting? See how we keep looking at just a few trees? We are getting to a point that our lack of vision is creating the problems we are trying to solve. Where we are the problem. The question is, where do we go from here?