Forwarded from: security curmudgeon <jerichoat_private> cc: errata submission <errataat_private>, thornton.mayat_private > http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html > > THORNTON MAY > October 01, 2001 > Security professionals insist that better education of business > executives is needed. They're right, but while they think they > should be the teachers, they really should be the students first. > At first glance, writing down what must be known about security > and privacy and who needs to know it appears to be pretty basic. > But security and *Appears* to be basic, yes. Anyone that has been in the field for more than three months knows this often gets a bit more complex as soon as your client has more than seventeen computers. > privacy professionals appear unable to put the security and > privacy to-dos in the proper context for people who manage > sensitive information. Why? Security people have never been known > to distinguish Says who? This point alone could be argued back and forth for a few weeks I think. The amount of books on security range from "Comp Security for Absolute Dimwits" to highly technical books that would mystify the masses. Creating a basic list of 'to-dos' is simple and done often. Finding a way to get your clients to comply with that list and not lapse is the real trick. 97.3235% of computer security breakdowns at client sites is due to their inability to follow the security policy in place (1). Further, 83.9823% of those cases were deemed "lack of common sense" (2). > themselves with dazzling feats of writing. Dostoevski and Tolstoy > were pithy compared with contemporary security and privacy policy > writers. The client leads these documents. They want wording that is specific, repetitive, all incusive, repetetive, and lawyer appeasing. They ask for it, security professionals deliver it. > So, the first lesson at security school should be basic writing > skills. And the first lesson of journalism should be something about stereotyping right? But hey, all journalists are morons (3). > Then there's the "bedside manner" of security and privacy > professionals. They tend to be very good at telling us what's > wrong and what's broken, but most of them are mute when it comes > to actually fixing the problem. Most of them.. based on what? Can you share the material or survey that backs this? And does this apply to the fine people at security companies like Guardent? Or are they immune to your verbal beat down? > Most security professionals would benefit from a bit of advice > from journalists in the do's and don'ts of telling a good story. > Executives I find this extremely ironic. If security professionals are to follow in the footsteps of journalists, they are fucking doomed. 1. http://attrition.org/errata/ Yeah, journalists are sure on top of things. 2. Based on #1, security professionals would be telling their clients a complete load of shit that had no foundation in reality. "Yes, this IDS system will protect your entire enterprise wide organization, keep HR out of Engineering, stop all your modem dialup problems, and prevent every employee from being social engineered because they were dimwits. Honest." > of the future won't tolerate messages that aren't highly relevant > to them and will filter them out. So, lesson three is > storytelling. Lesson three is NOT storytelling. Security consulting often involves auditing of one type or another. In audits, you don't get creative or wordy or beat around the bush. You find problems and provide solutions. If your argument is that security professionals give crappy documentation in their work, then say that. But don't recommend that they resort to story telling as a solution. Leave that to the security professional turned journalist for a day. > Assuming that the security curriculum has been created and taught, > the third question becomes, "Has the organization tested various > audiences against that curriculum?" Again, we find that less than > 10% do so. And this is the fault of the security professional? How many time are we asked to audit or secure a system, write a policy or something else, only to find out that our recommendations were not followed up on for various reasons? They run out of money, made their boss happy, satisfied legal by meeting some minimal demands for security, who knows. Do you think that security professionals hand over a security policy written to customer specs only to say "thanks for the money, file this away and be sure not to follow it!"? > Three months later, we returned to that 91% and asked, "Have you > become more active in designing and implementing information > security and privacy programs?" Ninety-five percent said no. > Executives endorse the theory and concept of security and privacy, > but they don't walk the walk. And this the fault of the security professional how? And could you cite this survey please? I couldn't find it on the Guardent web site. I did find this "gem" of an example though (4): http://www.guardent.com/pr2001-06-25-01-GEM.html This sounds exactly like what you are speaking out against. You want to put all that in plain English? > Thornton May is corporate futurist and chief awareness officer at > Guardent Inc. in Waltham, Mass. Contact him at > thornton.mayat_private What a complete disappointment. Being with Guardent, I am just SURE that you and your firm isn't like the bad guys you talk about above right? (1) I made this number up so we can both quote studies to back our argument. Like you, I won't provide a full reference. (2) See number 1 hombre. (3) And all security professionals are not journalists obviously. Hypocrite. (4) ha ha i kill me with these puns - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 16:19:15 PDT