Everybody and their brother is blogging about the recent Security Absurdity rant "The Complete, Unquestionable, And Total Failure of Information Security". Due to the near tidal-wave of interest from the blogosphere, I decided to check it out and see if it was, in fact, all that and a bag of chips. Anyway, in case you haven't read the article, it's basically a laundry list of why information security sucks and why infosec practitioners are a group of bumbleheads - or at least that's my paraphrase, but I don't think it's an unfair one.
Basically, the premise is that the security community in toto has failed (in his words, "[failed] ourselves, our community and the people we are meant to protect") grievously and that we should all be ashamed of ourselves - we're apparently ignoring the stench of defeat clinging to us because of the fact that "business is booming" in infosec. Quite a condemnation, no? Or at least it would be if it were the case. So is it? Are we all dismal failures? I happen to not think so, but let's investigate...
Boiling down the content of the paper, the assertion that infosec has failed is predicated on the observation that there are threats, and that there are people taking advantage of those threats. It goes on to relate a laundry list of those threats, and the unfortunate ramifications of those threats being exploitated. Where I think the argument breaks down, is in the implication - I don't agree that the exploited threats imply the failure of security as a discipline. Look at this by analogy - if a bank has a bunch of security guards defending the vault, are the security guards always at fault if there's a theft? Or if a counterfeiter is able to make fake currency, has the secret service "completely failed" because of the fact that fraud could take place? I happen not to think so... In the physical world, just as in the digital world, risk management is about balancing threats with countermeasures, and producing a strategy for risk reduction commensurate with the risk. But this paper isn't about risk management - the cost/benefit of security isn't even mentioned...
Anyway, I think this paper is worth a read, but I don't think we should all hang our heads in shame as the author suggests. If you're going to read it, remember that the best kind of constructive criticism offers suggestions for improvement - in this case the author stops short of presenting anything to make the situation better (that's apparently for "part two" of the rant.) Dale Carnegie told us that "any fool can criticize, condemn, and complain" - but complaining doesn't help the situation get better.
Posted by Ed at May 11, 2006 03:00 PM | TrackBack