Re: [ISN] Info Security 'Teachers' Need More Learning

From: InfoSec News (isnat_private)
Date: Mon Oct 15 2001 - 01:00:54 PDT

  • Next message: InfoSec News: "[ISN] Anthrax a dangerous red herring?"

    Forwarded from: security curmudgeon <jerichoat_private>
    cc: errata submission <errataat_private>, thornton.mayat_private
    
    > http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html
    > 
    > THORNTON MAY
    > October 01, 2001 
    
    > Security professionals insist that better education of business
    > executives is needed. They're right, but while they think they
    > should be the teachers, they really should be the students first.
    > At first glance, writing down what must be known about security
    > and privacy and who needs to know it appears to be pretty basic.
    > But security and
    
    *Appears* to be basic, yes. Anyone that has been in the field for more
    than three months knows this often gets a bit more complex as soon as
    your client has more than seventeen computers.
    
    > privacy professionals appear unable to put the security and
    > privacy to-dos in the proper context for people who manage
    > sensitive information. Why? Security people have never been known
    > to distinguish
    
    Says who? This point alone could be argued back and forth for a few
    weeks I think. The amount of books on security range from "Comp
    Security for Absolute Dimwits" to highly technical books that would
    mystify the masses.
    
    Creating a basic list of 'to-dos' is simple and done often. Finding a
    way to get your clients to comply with that list and not lapse is the
    real trick. 97.3235% of computer security breakdowns at client sites
    is due to their inability to follow the security policy in place (1).
    Further, 83.9823% of those cases were deemed "lack of common sense"
    (2).
    
    > themselves with dazzling feats of writing. Dostoevski and Tolstoy
    > were pithy compared with contemporary security and privacy policy
    > writers.
    
    The client leads these documents. They want wording that is specific,
    repetitive, all incusive, repetetive, and lawyer appeasing. They ask
    for it, security professionals deliver it.
    
    > So, the first lesson at security school should be basic writing
    > skills.
    
    And the first lesson of journalism should be something about
    stereotyping right? But hey, all journalists are morons (3).
    
    > Then there's the "bedside manner" of security and privacy
    > professionals. They tend to be very good at telling us what's
    > wrong and what's broken, but most of them are mute when it comes
    > to actually fixing the problem.
    
    Most of them.. based on what? Can you share the material or survey
    that backs this? And does this apply to the fine people at security
    companies like Guardent? Or are they immune to your verbal beat down?
    
    > Most security professionals would benefit from a bit of advice
    > from journalists in the do's and don'ts of telling a good story.
    > Executives
    
    I find this extremely ironic. If security professionals are to follow
    in the footsteps of journalists, they are fucking doomed.
    
    1. http://attrition.org/errata/ Yeah, journalists are sure on top of
    things.
    
    2. Based on #1, security professionals would be telling their clients
    a complete load of shit that had no foundation in reality. "Yes, this
    IDS system will protect your entire enterprise wide organization, keep
    HR out of Engineering, stop all your modem dialup problems, and
    prevent every employee from being social engineered because they were
    dimwits. Honest."
    
    > of the future won't tolerate messages that aren't highly relevant
    > to them and will filter them out. So, lesson three is
    > storytelling.
    
    Lesson three is NOT storytelling. Security consulting often involves
    auditing of one type or another. In audits, you don't get creative or
    wordy or beat around the bush. You find problems and provide
    solutions. If your argument is that security professionals give crappy
    documentation in their work, then say that. But don't recommend that
    they resort to story telling as a solution. Leave that to the security
    professional turned journalist for a day.
    
    > Assuming that the security curriculum has been created and taught,
    > the third question becomes, "Has the organization tested various
    > audiences against that curriculum?" Again, we find that less than
    > 10% do so.
    
    And this is the fault of the security professional? How many time are
    we asked to audit or secure a system, write a policy or something
    else, only to find out that our recommendations were not followed up
    on for various reasons? They run out of money, made their boss happy,
    satisfied legal by meeting some minimal demands for security, who
    knows. Do you think that security professionals hand over a security
    policy written to customer specs only to say "thanks for the money,
    file this away and be sure not to follow it!"?
     
    > Three months later, we returned to that 91% and asked, "Have you
    > become more active in designing and implementing information
    > security and privacy programs?" Ninety-five percent said no.
    > Executives endorse the theory and concept of security and privacy,
    > but they don't walk the walk.
    
    And this the fault of the security professional how?
    
    And could you cite this survey please? I couldn't find it on the
    Guardent web site. I did find this "gem" of an example though (4):
    http://www.guardent.com/pr2001-06-25-01-GEM.html
    
    This sounds exactly like what you are speaking out against. You want
    to put all that in plain English?
    
    > Thornton May is corporate futurist and chief awareness officer at
    > Guardent Inc. in Waltham, Mass. Contact him at
    > thornton.mayat_private
    
    What a complete disappointment.
    
    Being with Guardent, I am just SURE that you and your firm isn't like
    the bad guys you talk about above right?
    
    
    (1) I made this number up so we can both quote studies to back
        our argument. Like you, I won't provide a full reference.
    (2) See number 1 hombre.
    (3) And all security professionals are not journalists obviously.
        Hypocrite.
    (4) ha ha i kill me with these puns
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 16:19:15 PDT