I was inspired to write this post after reading a recent paper/post by Marcus Ranum titled "Ranum's Rants - The Anatomy of Security Disasters" available here. Thank you Ivan for the link.
This post is also available in pdf format here.
So as I was reading Marcus, I felt as though I was connecting with every word he wrote:
I’ve seen major security-critical business decisions get made based on whose golf buddy runs what business unit – I’m very skeptical of the notion that "Risk Management" has any value beyond the butt-covering obviousness of having made an attempt.
Brilliant. Insightful. Spoken from experience. Perhaps a dash (or three) of cynicism. But all true.
As security professionals, we see a lot. We learn a lot. We are all about the details and we HATE TO BE BLIND-SIDED!
If you are new to information security, you need to ingest the words from Marcus as if they were your own.
In the most dysfunctional organizations, you get senior (or sometimes mid-level) executives who 'shop a bad idea' until they find someone who is willing to tell them it is good. One security disaster I was involved with happened in exactly this manner: a senior executive hit upon a bad idea and asked the security team for their input. The security team explained why it was a bad idea; in fact they wrote a brilliantly clear, incisive report that definitively framed the problem. So the executive asked the web design team, who declared it a great idea and "highly do-able" and implemented a prototype. Months later, the "whiners" in the security team were presented with a fait accompli in the form of "we're ready to go live with this, would you like to review the security?"
Like it or not, this is our world! Security is now and will always be the enemy of convenience. Deal with it!
The only way to prevent security disasters is to have a security team that is fearless about feeding back information up to the top of the chain of command, and to have senior executives who make decisions based on reality rather than a projection of their fantasies.
Over the years I have realized that I bring 3 valuable assets with me to the table as a security professional:
1) my experience
2) my professional colleagues/relationships
3) my gut
The first two just naturally come over time but the third takes confidence and a foundational trust in both your abilities and your judgement. As I get longer in the tooth, I have grown to trust this "gut feeling" even more and I venture to speculate that once you learn to trust *your* gut feeling, you too will be a better and more effective security professional, as well.
Sure I have made my share of bad decisions and I do not mean to imply that I have seen every possible iteration of a specific event or incident, .. only that over time, I have learned to appreciate that many events are simply variations of prior events and that it is my gut that allows me to connect the dots and recognize the similarities between these events when this connection may not otherwise be readily apparent.
I have also come to expect, foster and appreciate a work environment that I like to call "unbridled candor" where honesty abounds and you had damn well better not ask a question unless you are willing to hear the honest truth. I know from experience that some people can't deal with the truth.
I believe it is my gut that gives me the confidence to speak truth to power in a way that is not seen as confrontational to business decision makers but simply matter-of-fact and authoritative.
Marcus sums it up this way, ...
What can we do to break the cycle? The most important thing is to make sure you are direct and honest about expectations at all times. Do not allow management or clients to believe that they can do dumb things in safety, and do not hide behind bogus probability guesses. "Safety" is not the same thing as "relative safety."
I believe that Marcus trusts his gut and I think you should trust yours as well.