At Information Security Decisions 2009, Marcus Ranum discusses the realities of compliance and standards and why security has caught lawmakers' attention.
About the speaker:
Marcus Ranum is Chief Security Officer at Tenable Network Security.
View the rest of the presentation:
- Part 1: The history of information security
- Part 2: The late golden age of information security
- Part 4: Vendor consolidation and technology integration
- Part 5: Predictions for the future of information security
Read the full transcript from this video below:
Part 3: Marcus Ranum on the state of information security
Marcus Ranum: Regulatory changes. Big changes here. The lawyers are here, and they're here to stay. Security practitioners now are kind of like a guy with a big, juicy sirloin steak strapped to their back swimming in a pool of sharks. Why is that? Because we have a limited budget for everything. Compliance is a limited budget as well. I'm sure most of you have had this experience, but there are a lot of organizations that aren't spending any money on security, and they're spending it all on compliance.
Now, in some cases, the compliance means buying some technology or doing something that actually pushes security forward, but about 20 to 30 to 50 to 60% of that is being eaten by your lawyers, which is good if you're a lawyer. I warned you about inviting the cockroaches to the feast. Once they're here, they're never going to leave.
And then, the next thing that's going to come is litigation, but that's another one. You've been asking for it, now you've got it. We've got all kinds of laws coming, and we're already starting to see the beginning of these wonderful things like the high tech. We're starting to see standards which are being created by people who consult for lawyers to promote security practices. So, essentially what's happening is that the auditors have realized that they can write themselves notes against you to pay their future pay checks, which is really a good thing if you're an auditor.
So, part two - the devastation. Security is on Capitol Hill's radar screen because security can be an unfunded mandate. It's a populist play. Eight hundred million credit cards leak out, and Congress can say, "We just passed a credit card protection act." What it says is the companies that handle credit cards have to spend more money trying to protect credit cards, and it doesn't cost the citizens anything. And the citizens go, "Wow! Congress passed a law to protect me, and it didn't cost me a damned thing." And they don't understand why their credit card percentages are so darn high, because it all just gets passed on to them. But that's what's winding up happening, right? So that's a big problem.
It's going to just get worse. The amount of complexity in legislation is only going to increase. We're already looking at some states that are looking at, "Can we turn PCI into state law?" That's one thing that's being considered in Massachusetts, I think, and in California. "Hey, let's do that." And then, of course, you know that the lawmakers are going to have to change it because they can't just let well enough alone. So, it's going to be PCI plus whatever our favorite thing is for our local jurisdiction. It's going to just get insanely complicated.
We desperately need national legislation. Now, that the freight train is rolling on the legislation front, we desperately need to coordinate this centrally rather than on a state by state basis. And I would even go so far as to say we desperately need to coordinate it internationally, but I have no idea how that could play itself out.
So, the effect. Compliance dollars right now are being spent under the guidance of the liability, which means the legal department. I don't know how many security practitioners in this room are answering to lawyers now instead of the chief technology officer, but my guess is a significant percentage of you. This is a problem, because if your dollars are being allocated, whoever it is that is allocating your dollars is going to always find room in your budget for whatever their favorite thing is. I guarantee you. So, that's going to be a big problem.
Compliance is going to continue to report to the legal department. After all, the person who wrote the specifications owns the problem. If the lawyers are writing the specifications, it means that you're working for the lawyers. If the budget whip hand is being held by the lawyers and they're writing the specifications, it's not merely that you work for the lawyers. You are their bound slaves.
And so, what I think is going to wind up happening is security is, well, it's not even a matter of competing. Competing is not it. What was the old anti-totalitarian thing? You know, picture a human face with a boot on it forever or something like that. So, where I think security is heading is picture security scrabbling around for the spare change that the lawyers dropped for eternity, and that's kind of where we're heading.