Saturday, October 07, 2006

Security Is Not Refrigeration

Analogies are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to make an argument, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y help when debating abstract concepts like "virtual trust".

Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 west coast couldn't sell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir goods to consumers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 east coast. Refrigeration opened new markets and keeps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m open.

However, refrigeration is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business. Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing and selling food does. (Refrigeration is only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business for those that sell refrigerated train cars and supporting devices.)

You might think "security" is like refrigeration. Like refrigeration, security could be said to "enable" business. Like refrigeration, security does not generate value; selling a product or service through a "secure" channel does.

So why is "security" really not refrigeration? The enemy of refrigeration is heat. Heat is an aspect of nature. Heat is not intelligent. Heat does not adapt to overcome cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 refrigeration technology deployed against it. Heat does not choose its targets. One cannot deter or jail or kill heat.

The enemy of "security" is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder. The intruder is a threat, meaning a party with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit a vulnerability in an asset. Threats are intelligent, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y adapt, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y persist, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y choose, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y react to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environment. In fact, an environment which on Monday seems perfectly "secure" can be absolutely compromised on Wednesday by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of an exploit in response to Tuesday's Microsoft vulnerability announcements.

Returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of "enablement" -- honestly, who cares? I'll name some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r functions that enable business -- lawyers, human resources, facility staff. The bottom line is that "virtual trust" is an attempt to "align" (great CISO term) security with "business objectives," just as IT is trying to "align" with business objectives. The reason "IT alignment" has a chance to succeed in creating real business value is that IT is becoming, in itself, a vendor of goods and services. Unless a business is actually selling security -- like a MSSP -- security does not generate value.

Why is anyone even bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring to debate this? The answer is money. If your work is viewed as a "cost center," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ultimate goal is to remove your budget and fire you. If you're seen as an "enabler," you're at least seen as being relevant. If you can spin "enablement" into "revenue generation," that's even better! Spend $X on security and get $Y in return on investment! Unfortunately that is not possible.

Finally, I don't think anyone would consider me "anti-security." I'm not arguing that security is irrelevant. In fact, without security a business can be absolutely destroyed. However, you won't find me saying that security makes anyone money. Some argue that spending money on security prevents greater loss down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line, perhaps by containing an intrusion before it avalanches into an immense compromise. That's still loss prevention. Of course security "enables" business, but enablement doesn't generate revenue; it supports a revenue-generating product or service.

This is probably my last word on this in a while. I need to turn back to my own business!

5 comments:

Anonymous said...

Glad to see you addressing this, Richard. I confess, my thoughts are quite similar to yours. As I pointed out in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discussion on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full disclosure list, any PHB smart enough to be in a leadership position in a company isn't going to be fooled by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "business enabler" argument any more than you were.

Anonymous said...
This comment has been removed by a blog administrator.
Unknown said...

You can tackle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of business enablement as well. I hate to pick on analogies, and hopefully I am not taking it too far (take any analogy far enough and it breaks down...), but refrigeration is necessary for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business to expand to those markets. Without it, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ice cream will melt before it can get to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer.

Security, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, is not always necessary. A business can still choose to do something like, say, run an online store, without bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring too much with security. Granted, regulations are slowly changing that, but still...things CAN be DONE without security.

Maybe security is more like a sleep enabler? It enables more people to sleep at night. Then again, that is not much unlike insurance and loss prevention...

Unknown said...

Talking about analogies... I'm a lifelong IT professional who by chance happened to run a food business for a couple years. Although I agree with you in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general sense, I would like to point anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r analogies that can be useful here.

Although important, refrigeration is only one tool for food safety. There's a huge knowledge base, a good part of it encoded under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HACCP umbrella. HACCP means Hazard Analysis and Critical Control Point, and -- much like security was supposed to be -- is a framework for food safety. HACCP starts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 principle that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 food chain (with its associated processes) is inherently unsafe. From this starting point, HACCP starts to define limits to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security level. There's no such thing as "pure" and "safe" food. There is, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, food that is safe for consumption under a given set of conditions, including temperature, time, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r environmental variables.

Looking at IT security from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same perspective cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 food industry achieved with HACCP would be really great. HACCP is a requirement, by power of regulation, in several places. Nobody in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 food industry can sanely call it a enabler, but this does not mean, in any sense, that it is less necessary than anything else in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 production chain. Things that are mandatory have to be done, regardless of being costs or profits. Talking about security in this sense only weakens cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument.

Anonymous said...

Microsoft gets it!

http://www.bloginfosec.com/?p=83

Ken