Published: 01 Oct 2006
Your job isn't about concrete challenges any more; it's about ambiguity and trying to measure intangibles.
I finally read The Da Vinci Code. It's no literary masterpiece, but admittedly, it is a gripping story. An ingredient in its popularity is the underlying theme: a treasure hunt to uncover significant knowledge that had been hidden for centuries. Conspiracy theories and the belief that vitally important information is being deliberately secreted away are compelling ideas, constantly appearing in literature, movies, the tabloids, and even within our own profession.
We can search for hidden answers, but there are a lot of things that we may never know in infosecurity. It is sometimes said that if you can't measure something, you can't manage it. While there is an element of truth to that aphorism, it can also be a cop out.
The fact is that we are confronted with a growing number of things that can't be measured, such as the significance of the external threat, the likelihood that employees will steal data, and the number of security failures that we actually prevent. It's embarrassing to admit that we don't know the answer to so many important questions about information risk, but increasingly, significant security management challenges are in the realm of the intangible.
Unwilling to live with this ambiguity, let alone manage it, the immature security manager persists in an impossible dream. The sneaking suspicion remains that there is a secret body of security knowledge and hidden best practices that are being jealously guarded by a cabal of security cognoscenti.
Once this secret knowledge becomes known, then it will be easy to make security decisions. You'll know exactly how suspicious you should be of your partners and employees. It will be crystal clear just exactly how much effort should be spent on security awareness programs. You will always have just the right budget, without having to fight for it.
Unfortunately, there is no holy grail of infosecurity. During the last 10 to 15 years it was easy, however, to put ambiguity on the back burner. Building a technical infrastructure to control external attacks was a concrete challenge. Everyone understood the need to control malware and hack attacks, and was willing to foot the bill for firewalls and antivirus software. Even in those good old days of infosecurity clarity, failure was highly visible but success was impossible to measure.
Today, a comfortable level of technical control over security failure is available to any organization with the desire and will to take advantage of it. What do we do next? We need to work harder to learn the best ways to encourage positive behavior on the part of our employees, and also prepare for an increasingly sophisticated criminal adversary. We must improve our profession by developing better ways to measure risk and security process maturity.
In practice, however, figuring out security controls that provide measurable indicators of risk is extremely difficult. Best practices for risk management take a lot of time to develop. Different corporate cultures and business lines create diverse challenges for security program managers. We have to expect that organizations will often use different key risk indicators. Ambiguity reigns. A basic tenet of intelligence must never be forgotten by anyone responsible for preventing unwanted human behavior: we do not know what we don't know.
We've run out of quick and easy answers. Further improvements require time and effort. We have to be willing to experiment with things that we cannot easily measure, and in some cases, rely on our intuition to make decisions.