Awesome comparison between IT (King Lear) and the Business (Hamlet)
"FLAMING RETORT "
Lear’s basic flaw at the beginning of the play is that he values appearances above reality. He wants to be treated as a king and to enjoy the title, but he doesn’t want to fulfill a king’s obligations of governing for the good of his subjects. Similarly, his test of his daughters demonstrates that he values a flattering public display of love over real love. He doesn’t ask “which of you doth love us most,” but rather, “which of you shall we say doth love us most?” (1.1.49). Most readers conclude that Lear is simply blind to the truth, but Cordelia is already his favorite daughter at the beginning of the play, so presumably he knows that she loves him the most. Nevertheless, Lear values Goneril and Regan’s fawning over Cordelia’s sincere sense of filial duty.
“Security” is facing a similar problem.
To that end, and without meaning to, Gunnar Petersen and Larry Zeltser unintentionally wrote about this whale of a problem in two thought provoking blogs describing what they portray as the sorry state of security today; specifically the inappropriate mission focus and misallocation of investment (Gunnar) and the need for remedying the skills gap and broadening the “information security toolbox” (Lenny) that exists in an overly infrastructure-centric model used today.
Gunnar followed up with another post titled: “Is infosec busy being born or busy dying?” Fitting.
Both gents suggest that we need to re-evaluate what, why and how we do what we do and where we invest by engaging in a more elevated service delivery role with a focus on enablement, architecture and cost-efficiency based on models that align spend to a posture I can only say reflects the mantra of survivability (see: A Primer on Information Survivability: Changing Your Perspective On Information Security):
[Gunnar] The budget dollars in infosec are not based on protecting the assets the company needs to conduct business, they are not spent on where the threats and vulnerabilities lie, rather they are spent on infrastructure which happens to be the historical background and hobby interest of the majority of technical people in the industry.
[Lenny] When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems.
In addition to the infrastructure security “hammer,” our toolbox needs to incorporate the following elements:
These ideas are congruent with the concerns I expressed when outlining the worrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.
Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile.
We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures. Regulation and litigation have both increased. We're still struggling with the expensive PCI initiative, an effort as controversial as its efficacy is questionable--U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet.
We get best practice shoved down our throats all the time (ITIL anyone?). I would bet a rare Yorkshire quid that few of the people touting best practices can articulate both Why and In Relation to What.
If a best practice is defined as “superior to other practices”, then what are those other practices? And why is one superior to the others? It just might be that in my situation another practice might be best. What’s best for you might not be best for me, right? But you can’t know that, so we are still friends.
I’ll be honest: best practices appeal to my lazy self. If someone else has done all the heavy lifting then why not leverage their hard work? Aren’t best practices a form of altruism? Well, that’s a bit of a trusting approach in an untrusting world. What if the author is lazy too? What if that auther just lifted their best practice from someone else, ad infinitum? Now nobody knows why its a best practice, reason is lost in time, and we all go baa.
FWIW I give a damn because my lazy self really wants to use best practices but because of my irksome sense of self preservation I have to do a bit more homework before I reuse any existing best practices… and in fact, this attitude means I can’t take someone else’s short cuts and makes me into an ever more cynical person.
So, here’s three things I’m going to do from now on and I encourage you, Dear Reader, to do the same:
Up for it? Let’s start now. Personally I never recommend best practices I only recommend suitable practices to match the requirements but that’s another story…
This situation typifies the classic security dilemma. Everyone wants three things from their security system:
Raise security awareness - Good security is like the electrical grid, no one thinks much about it until it fails. While you don't want to create hysteria, you might want to make people aware that there are real security threats. Does anyone outside of IT know how many intrusion attempts you've blocked or how many virus threats you've countered? Maybe they should.
Knowing this may make people a little more rigorous in following security provisions, and management may be willing to spend a little more on security if they know what it is doing for them.
Avoid the Chicken Little syndrome - There are new security threats every day. It's our job to assess them and act accordingly. Part of this is knowing when to raise the alarm and when you shouldn't. "The sky is falling" didn't turn out well for Chicken Little, and likewise a constant security crisis attitude eventually will dull people's sensitivity to security.
Match the security to the risk - One way to get people more accepting of stronger but more difficult to use security provisions is to only use them when truly warranted. Save the tight security provisions for the really important stuff. Treating everything the same tends to lower the overall significance. Does access to the stock records in the parts warehouse really need the same tight security as the payroll records?
There are a number of data loss prevention systems and techniques that can control data from leaving your system. The downside is that there are trade-offs including cost and impact on your business. While controlling the flow of information can protect your data it can also limit your ability to do business.
This is the classic security dilemma. Everyone wants three things; tight security, ease of use and low cost. The dilemma is that you only truly have a choice of two. As a result we compromise to balance these three factors to suit our needs. Our job as IT leader is to help determine the right balance, to be an honest broker in evaluating pros and cons and to lead the discussion and decision.
Most IT systems like EMRs, EHRs, and other medical record capture and retrieval products are purportedly designed for physicians but they really are created to improve the hospital administrators' lives, get data to government agencies looking for comparative medicine, push paperwork through to insurance companies so that they can deny claims faster, and many other "features" that don't really do anything for the doctor.
The problem is not that doctors don't like IT, it's that they don't get the same value out it that other participants in the system do.