We live in a time where 10 years ago is deemed as ancient history (from an IT view), a time that is well past, so different to today - a time that aside from reflecting on where we came from, provides little more to help improve what we have today. Information Security is hampered by this thinking.

We’re continually looking for new solutions today to fix up the inherently weak technologies we’ve….well, inherited, but we don’t always view them this way. Instead, we see new technologies with issues that can only be fixed by new thinking, new security tools, technologies and approaches. We accept mediocrity in a lot of cases because we either don’t think there’s anything else we can do or we just don’t understand nor want to understand how to attack root cause issues better. (Many reasons for the latter - expertise, resourcing, costs etc). We don’t look back for solutions. We don’t look deep for solutions. We go down the easy path to try to find solutions for today’s problems.

Have a look at what companies are doing and budgeting for from a security perspective and ask yourself; is this something that is going to make a qualifiable and quantifiable difference to the security of a company?….Don’t look at it from just a point-solution perspective, but rather from a holistic/enterprise perspective. It’s a common mistake, (if you can call it a mistake). Here’s an example:

System view security vs. Application view security

And here’s the above scenario in practice: Application Security Reviews - Pitfalls, Dangerous Mistakes and Assumptions.

These examples focused on applications but the scenarios described can translate to all aspects of Information Technology and our approaches to security.

	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
		Driving Revenue and Increasing Value with Application Performance Management
	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Are many, (or most) approaches taken to Information Security little more than knee-jerk tactical responses and plans that fall into “workaround” and “accepted mediocrity” categories - approaches that continually divert our attention from better solutions that may more directly attack the root cause of problems? I believe they are.

Most things we (in the industry) do, does seem to fall into these categories and we’ve been using these tactics since day 1. Attacking the root cause of problems and dealing with them is generally deemed too difficult. Great in theory you’ll be told, but we need “pragmatic” solutions (while agreed to be far from perfect, by some) that work today!

It’s 2009 and I see we’re still not thinking past just trying to bog up the rust to keep something at an acceptable level/working order (relative to what individuals involved believe is workable and effective for them). It’s subjective and those “acceptable” levels/ how that determination has been made needs to be questioned. Is the complete picture there and was there sufficient data accumulated for correct/accurate decisions to made? How often is it not, but decisions are still made to the detriment of the business?…..More often than not I put it to you.

Defeatist attitudes that lead to “workarounds” and “accepted mediocrity” are detrimental to any significant change and a better future. There is no ideal world and perfect security – we know that, but all “workarounds” and “accepted mediocrity” have done is to move us backwards, and we continue to move backwards. It makes no sense that we accept this as our lot. We are losing the battle and as new technologies and business approaches evolve on the Internet, we further accept this as our lot going forward, and for reasons mentioned, revert to the “trusted” (yet dis-proven) tactic of “workarounds”.

WAFS (and IDS/IPS, Firewalls etc and most technologies we use in the Information Security industry) are workarounds to deal with our inherently insecure technologies based upon insecure software. I’ll never accept we should implement workaround technologies as the sole thing available to us, “so let’s make the most of it”. If a WAF protects an organisation from something bad to a level of 60% or so, that is failure to me. Does the decision maker that purchases these products and services fully understand this when it it sold to him? Is the picture clear to them about alternatives focused at attacking the root cause from a micro-level perspective (ie; their organisation)? Is the former solution (WAF for example) at the end of the day going to be better for them at present given they can’t at present comprehend what else can be done, or even if they can, just cannot do it due to the old; expertise, resources, funding issues? Will they even try to consider this seriously? It just doesn’t happen in our world of fantastic and magical products they’re sold – products that they are “sold” to believe, will do all they want, to allow them to sleep better at night.

How do you judge, outside of the marketing claims that really cannot be accurately confirmed [by them] vs. more difficult theoretical holistic arguments that can’t be plug and played like the former? Lets spend a few million on something that “will make our organisation secure”! The sales guy guarantees it. (12 months later, sales guy is working for a competitor and now bags that product he sold the client last year as being crap “….and far from being able to deliver what we told them [the client] it would”).

Dealing with the root cause is too hard and many critical thinkers in our industry have accepted that we’re never going to be able to effectively attack this root cause. That concerns me. We as an industry are very insular and as a result of this, many have made the determination on behalf of broader society that the cause is a lost one. How can you do that? I say, broader society awareness is going to help. When society is more aware, we make a determination on what we expect and what we don’t want to accept. Lets not give up on this and accept our hands are tied.

Tags: Beast or Buddha