The Need for Structure

There really is no other way to say it - we do not know what we are doing. Microsoft, arguably the biggest and best software company in the world, cannot produce 100% reliable, secure applications. Cisco Systems produces state of the art routers and switches that help power the Internet, but as you read this sentence, there is likely a hacker somewhere in the world developing code to render Cisco’s technology worthless. There are tens of thousands of information security officers (ISO’s) in corporations around the globe and virtually none of them have a concise answer for management when they are asked how much the company will lose if they do not take the security precautions recommended by the ISO. We spend billions of dollars each year on security technology, yet much of this technology can and likely will be rendered useless by hackers in some obscure country each one using technology that probably costs less than $1,000.

When a new security vulnerability is discovered in an operating system or a virus spreads across the Internet in a matter of seconds, what do we do? In a quality based environment we would identify the root cause and design software that prevented the defect or any of its progeny from breaching our systems again. Instead, we issue “patches” to cover up the specific problem. If a company discovers that an input field is subject to a buffer overflow vulnerability, it issues a patch for that field, instead of redesigning its software to prevent all buffer overflows. We keep patching the tire over and over again, instead of figuring out how to manufacture a defect free tire.

The problem is that many of us are wrapped up in our denial. We know it is unlikely that Microsoft will ever produce 100% secure code in our life times, but we still deploy Microsoft applications to support mission critical functions. Our lives become consumed with “if’s”. If we can just create the perfect policy, if we can somehow convince management to spend the money on systems that will surely prevent any future disruptions, if we can just get the firewalls and routers consistently and securely deployed around the corporation, if employees would not be lazy and careless with their passwords, then, maybe, all of this will work. We would much rather charge ahead trying anything and everything to provide security, instead of asking the hard questions.

Another root cause is that much of information security is based on technology that is still in its infancy. No one has figured out how to program the perfect spam filter or the firewall that will reject all malicious transmissions. Just as it took years for mankind to effectively utilize the moveable type printing press, the steam engine and the automobile, it will be decades before we understand how to deploy secure code on the Internet. We need to first acknowledge that we really do not know how to properly use this technology, that it will be years, if not decades, until we do have sufficient knowledge and experience and that there is little we can do to accelerate this process.

Put yourself in the shoes of a blacksmith in the first two decades of the 20th Century. You have come to the realization that automobiles are the wave of the future and, if you are to remain gainfully employed, you need to shift your business to automobile repair. The challenge is that you know virtually nothing about how automobiles work or how to repair them. What do you do? You fake it. You do not tell your customers about your shortcomings and just plod ahead, trying to figure out problems as they present themselves. In time, you learn enough through trial and error that you are considered an expert. Most ISO’s have taken a similar path. Some may have taken courses in college or obtained their CISSP certification. However, none of this has prepared them for the complexities of dealing with global, bureaucratic organizations and the attendant challenges of incompatible technologies, lax practices and procedures, and Byzantine politics. So they fake it, until they get it right.

The solution is to create a structure for this process (The Framework), to follow a risk assessment methodology (the Simple Risk Model) that will guide ISO’s through the steps required to implement a secure business environment and to identify our goals.

©2009 ISRMC, LLC