Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security."

[generaldisarray04 () gmail com]

Security is a ‘process’ and not any kind of a tool but I’m certain we all understand this.  

Regulations, testing, tools et al only serve to support said process.  But even the process falls short of ‘effective 
security’ simply because you’re still dealing with the weakest link in the entire chain – you!    

Yes You!  The human element, the weakest link, the person who will ultimately make a mistake that either singularly or 
in aggregate could bring risk to the security ‘process’ your practice.  The human element is often THE root cause of 
weakness within any organization.  You can't fix stupid.  

How many of you have ever left the door to your house or car unlocked?  The control was there but YOU made the mistake. 
 

Other examples:
- Firewall logs are only as valuable as the person who is reviewing them.  But does that person really understand what 
they’re looking at?  
- Intrusion detection is only as effective as the individual crafting the rules and how well he/she understands the 
environment they hope to protect.  But has he/she turned off certain alarms because they kept generating presumed false 
positives?
- The internal network is only secure from intrusion if you have a total understanding of all possible points of entry. 
 What about physical security over the data closet in that remote plant you never go out to visit?
- The policies you preach only have teeth if you enforce them.  How many IT folks bypass Internet filters or proxy 
servers because it interferes with sites they need to surf?  For work of course!
- Audit reports seldom produce measurable results because often the auditors (who have only been onsite for 2 weeks) 
have no clue about what they’re auditing much less the tools they’ve ran or the work plans they’re following.   Not 
always the case but more the rule than the exception.  

In essence, we’re left with training, awareness, and communication efforts that seldom get attention.  That’s too much 
like ‘training’ and who has time for it much less the budget?  Oh but SOX, HIPAA, PCI etc are devouring budget and 
attention these days.  And while I agree with needing 'key controls' for effective security, common sense has left the 
stage. The very regulations that were created due to poor auditing practices are now being leveraged to increase 
billable hours.  I digress.

If the culture of any organization believes security to be a ‘non-issue’ then it certainly will remain that way.  Tone 
at the top is paramount.  

To abuse an old adage; it’s the people stupid!  Spend all you want but if your people are not properly trained, on a 
continuous basis, know their roles/responsibilities, and understand current/emerging threats to the organization then 
you’ve gained little.  Tools, policies, procedures and audits will not save you.  The culmination of process plus 
people is what produces ‘effective’ but not ‘total’ security.  Changing any culture to reflect this is difficult at 
best.  

Steve Knight CISA, CISSP