200 OK Reclaiming Pragmatic Security: Why Standard Computer Security approaches Stink


The standard approach to computer security goes something like this: "Remember, Job #1 of any security professional is to make sure nothing bad happens. You don't have to be elegant, you just need to get the job done." [1] That statement is from Mike Rothman, the author of the "Pragmatic CSO". This is a book to explain to security techies how to function in a business environment.

But this statement is hogwash! I haven't read the book, but Rothman seems to be teaching you how to (a) feel influential because managers are asking you questions, and (b) make project plans and business cases for security equipment purchases. The premise has some truth: computer-system security specialists within companies need to function like grownups. But his statement "make sure nothing bad happens" reveals a misperception of any role in business.

Security always has TWO sides [2]:

  • (a) Safety: Be sure bad things DON'T happen.
  • (b) Liveness: Be sure good things DO happen.

    But these ideas are not well known outside the formal Computer Science Research community.

    There's an old joke: the best firewall (network security device) is the air-gap between a network cable and the port. The joke is funny because so many security people actually function as if their real job is to ensure nothing bad happens.

    This absurdity is promulgated by Rothman's statement. Its practice creates the crazy situation in which the security technicians -- Chief Security Officer (CSO), IT technicians, etc. -- work *against* getting Good Things Done, leaving the rest of the business to work in favor of getting Good Things done.

    Cisco published a relevant study in 2008:

    "One of the most significant findings was the difference in employee and IT perspectives on policy non-compliance. According to IT, employees defy policies for a variety of reasons . . . [E]mployees said the top reason for non-compliance is their belief that policies do not align with the reality of what they need to do their jobs. More than two of five employees (42 percent) made this claim globally. In Germany, even though the majority of employees felt their companies' policies were fair, more than half of them (55 percent) said they would break them to complete their jobs." [3]

    Of course the security staff feels like the users don't care: the security staff doesn't really care if the users to get their jobs done. It's as if the security staff feel that it's better not to get the job done at all rather than have it done in an insecure way.

    PRINCIPLES FOR BEING PRAGMATIC ABOUT SECURITY

    I. The computer security insanity has to stop. Being pragmatic about Computer System Security doesn't mean learning how to make fake business plans to buy equipment.

    II. Being pragmatic about computer security must include both enabling good things to happen, and preventing bad things from happening.

    III. The MAIN job of anybody in an organization is to do the business of the organization; i.e., to get good things done, to provide the service, make the product, satisfy the customer, help the world.

    IV. All ventures involve risk; there's always a risk of attack and a cost to defend against it. The probability and costs of many risks cannot be quantified because you don't know what the worm or attacker will do.

    V. Security is NOT about buying equipment or software. (Most serious network attacks go right through firewalls. Anti-Virus software is almost never up-to-date enough to stop new viruses.)

    VI. Complex system security is sometimes worse than no security. For example, firewalls with 100-line access lists are almost always wrong.

    VII. Security Controls that Prevent activity are fundamentally defense against specific attacks. For every security control (firewall, access list, etc.) you have, you should know what you're defending against.

    VIII. Realize that Compliance can be a farce; being "complaint" to some standard may mean you're not defending against the right threats.Auditors are often ex- accountants with checklists and no real understanding of systems. Don't rely on policy/law compliance for anything besides satisfying paperwork requirements.

    [1] Mike Rothman's 2006 blog post, "'Pragmatic Security' Coming Into View", posted at: http://securityincite.com/blog/mike-rothman/pragmatic-security-coming-into-view

    [2] Fred Schneider, "Defining Liveness", http://portal.acm.org/citation.cfm?id=867712

    [3] Cisco Systems, "Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk",http://newsroom.cisco.com/dlls/2008/prod_102808.html