What’s our end-game?
Last week I tripped over an interview of an old friend on youtube. It’s really interesting and worth 30 mins of your time. What jumped out at me takes place at about the 16 minute mark.
What Carol talks about here is how the shape of the research agenda for Mars changed from very expensive, flagship missions, towards smaller, less costly, and more focused missions (think Viking vs. Pathfinder). I was struck by her perspective — looking at the entirety of the Mars research program and what worked best for the tactical advance of science. This got me wondering about parallels between the research and exploration she’s describing and our challenges in information security.
Obviously there are basic differences here. Sending spacecraft to Mars has many goals both mundane and profound (from ‘what’s the weather like on Mars?’ to ‘is there life on Mars?’). However what I think Carol is talking about in her interview isn’t about specific experiments or engineering challenges, but rather, she’s talking about the overall management of the research program for Mars. Now, I’m a security practitioner not a researcher, and the job of running an operational infosec shop isn’t about research. By definition it’s about the implementation of technologies, processes, and policies coming out of the academic/industrial complex to support and enable the University’s mission. (Granting that we do systematically investigate point solutions and larger organizations may have the resources to partner with researchers doing basic research.) But if we step back for a second, away from the specific engineering challenges we face, this leads me to wonder where should I be taking the overall security and risk program for my institution?
Essentially I’m asking, “what’s my end game?” Am I never going to do better than to continuously (re)evaluate some codified set of technologies that are locally optimized to address some portion of our technology ecosystem (the endpoint, the border, systems, databases…)?
In 2003/4 when I started at UIUC, one of the first things we did was deploy an IPS (Tippingpoint) at our border (firewalls went in a year or two earlier). While they didn’t magically secure the campus, they helped enormously. A few years later, we replaced them with larger boxes. A few years later we replaced those with faster Juniper boxes. Has the technology in these improved? Considerably. Has it solved more of my security challenges? Hardly.
If I were to succeed in comprehensively implementing the NIST framework or FISMA requirements across my entire environment, do I get to go home and open a bottle of champagne?
Perhaps we should focus not on the activities of an Information Security office, but on the role of InfoSec within our ecosystem. As yet another, smarter friend and colleague reminded me recently, his managerial goal is to put himself out of a job — to make sure his organization isn’t dependent on him.
Should the end-game for information security be to make ourselves unnecessary? I don’t want to use too broad a brush here, there are a host of things in the typical CISO’s portfolio that someone has to do: LEA interactions, HR investigations, DR, lost & stolen equipment, audits, and policy development to name a few. However, the more we engender trust in the ordinary operations of IT w/regard to security — that data, systems, and operation — our IT ecosystem — are innately secure and respectful of individual privacy, the less need there is for much of what consumes us in security. If I eat well and exercise, I don’t need to see a doctor unless something is horribly wrong.
I’m not going to argue that we need fewer security staff. I’m not sure I personally know of a University InfoSec office that’s truly appropriately staffed. But perhaps the continued growth of security offices isn’t because we need more security staff, but precisely because we’ve allowed security to be too decoupled from ordinary IT.
Note: I’ve addressed some of this in a recent blog entry elsewhere and a good friend and colleague and I will be expanding on these issues at the the Educause Security Professional’s conference in May.
