Few things in the information security industry bother me more than corporate paranoia. I'm specifically referring...
to the policy, common among large companies, that forbids employees (and often contractors) from speaking, writing, or otherwise engaging in the ongoing public dialog about information security.
I have a hard time believing there are any true secrets left to be had regarding unique enterprise defenses.
The information sharing issue is top of mind for me because recently a practitioner I know, someone who is among the most respected people in his field and a valued voice for the community at large, was silenced by his or her employer, instructed that his or her activities were not in the best interest of the company. (I won't tell you the company's name. I'll just say it rhymes with horizon.)
I find it mindboggling in 2010 that there are still so many shortsighted corporate security policymakers who, blinded by their own ignorance, paranoia, greed or all of the above, believe they must ensure their organization's security by placing a muzzle on the very people they believed were smart, talented and experienced enough to hire for that task in the first place.
What breeds this mentality? Is it the fear that employees will inadvertently give away some sort of key to the cyberkingdom? Is it the suspicion that employees will be distracted from their full-time gigs? Perhaps it's the inherent cloak-and-dagger legacy from which information security was borne?
Frankly I don't buy any of it. The era of commoditization is upon us; from a technical perspective, I have a hard time believing there are any true secrets left to be had regarding unique enterprise defenses. Traveling to a conference or spending a few minutes updating a blog may take some time away from one's full-time work, but from a corporate perspective fostering that that activity is a low-cost investment in an employee's continuing education, plus adds to job and career satisfaction. Sure some feel that effective security demands as much obfuscation as possible, even if it means shielding the identities of the good guys. However, I say that's just not good enough. The threat landscape has never been more dangerous. Data has never been harder to protect. Emerging technologies cloud-based services, virtualization, and mobile computing – have never made information security more challenging. On any given day, news coverage, research data and your own internal reports offer up half a dozen good reasons to go back to bed instead of fighting the good fight.
But what's the one secret weapon information security pros always have at their disposal? Each other. You're all brothers and sisters in arms. The Internet may have created all sorts of new security problems that nobody predicted 20 years ago, but it unites each of you everyday via industry groups, mailing lists, conferences, social networking and a slew of other ways. Fostering the sharing of emerging threats, common problems and best practices is one of the few ways to easily level the playing field.
Some might say practitioners haven't been assertive enough with their employers in making the case for raising their public profiles, but I don't blame them. Life is hard in 2010. The national unemployment rate is inching toward 10%, and decent, well-paying jobs are hard to come by. Nobody wants to experience a career-limiting, Robert Maley-style event, especially of their own doing, when every paycheck is critically important. So I understand why many security pros err on the side of caution and avoid participating in public dialogue -- as authors, speakers, policy makers or even simply as public observers -- about information security.
Clearly there's a right way and a wrong way to be a part of the conversation, but the lesson is that those conversations need to happen, and they need to happen in public. Information security can't succeed in a vacuum. Every voice is important. My hope is that all security pros will seek out ways to participate publicly for the greater good of the security industry, and the companies that prevent security pros from doing so will rethink those decisions and realize there's a better way to operate.
That, in my view, would certainly make for a much brighter horizon.
Eric B. Parizo is senior site editor of SearchSecurity.com. His rants can also be heard each month on SearchSecurity.com's Security Squad podcast.