Thursday, August 23, 2007

Some thoughts on understanding the people value in a Information Security team
Where is the new internet world headed? Complexity begets an accompanying loss of assurable security, as is evidenced by all the unhappy digital break-in news around us. There is even lesser comfort in the fact that most of the software out today is was never designed with security in mind, and is today uncomfortably ensconced in an ostensibly protective cocoon of security devices, that seem to work more to prevent the application from working rather than prevent it from attack.
Our biggest shortfall today seems to be our lack of recognition that what we know is not even the tip of the iceberg - and yet most leaders and managers focus on just that little tidbit and ignore the larger danger of the unknown and undefined lurking below. In this headlong rush to cut costs while maintaining operations, the easiest win SEEMS to be to automate functions and drop head count, but that is the worst thing to do in the security domain. The big losses are:
  1. Loss of institutional knowledge that seasoned warriors have, that will take newbies ages to learn
  2. Automated scanners and detectors can only recognize known attacks - they are helpless against the unknown or zero-day attacks and vulnerabilities
  3. Today's fuzzy logic solutions are not seasoned solutions. While they represent cutting edge technology, they still have to be field proven - and do you want to be the one providing the field test opportunity, especially with the crown jewels of your digital assets at stake?
Automated solutions can at best complement a well-rounded security team - they cannot replace them (not yet, anyways!).

No comments: