Re: Info Security 'Teachers' Need More Learning

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
cc: errata submission <errata () attrition org>, thornton.may () guardent com

> http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64314,00.html
>
> THORNTON MAY
> October 01, 2001 

> Security professionals insist that better education of business
> executives is needed. They're right, but while they think they
> should be the teachers, they really should be the students first.
> At first glance, writing down what must be known about security
> and privacy and who needs to know it appears to be pretty basic.
> But security and

*Appears* to be basic, yes. Anyone that has been in the field for more
than three months knows this often gets a bit more complex as soon as
your client has more than seventeen computers.

> privacy professionals appear unable to put the security and
> privacy to-dos in the proper context for people who manage
> sensitive information. Why? Security people have never been known
> to distinguish

Says who? This point alone could be argued back and forth for a few
weeks I think. The amount of books on security range from "Comp
Security for Absolute Dimwits" to highly technical books that would
mystify the masses.

Creating a basic list of 'to-dos' is simple and done often. Finding a
way to get your clients to comply with that list and not lapse is the
real trick. 97.3235% of computer security breakdowns at client sites
is due to their inability to follow the security policy in place (1).
Further, 83.9823% of those cases were deemed "lack of common sense"
(2).

> themselves with dazzling feats of writing. Dostoevski and Tolstoy
> were pithy compared with contemporary security and privacy policy
> writers.

The client leads these documents. They want wording that is specific,
repetitive, all incusive, repetetive, and lawyer appeasing. They ask
for it, security professionals deliver it.

> So, the first lesson at security school should be basic writing
> skills.

And the first lesson of journalism should be something about
stereotyping right? But hey, all journalists are morons (3).

> Then there's the "bedside manner" of security and privacy
> professionals. They tend to be very good at telling us what's
> wrong and what's broken, but most of them are mute when it comes
> to actually fixing the problem.

Most of them.. based on what? Can you share the material or survey
that backs this? And does this apply to the fine people at security
companies like Guardent? Or are they immune to your verbal beat down?

> Most security professionals would benefit from a bit of advice
> from journalists in the do's and don'ts of telling a good story.
> Executives

I find this extremely ironic. If security professionals are to follow
in the footsteps of journalists, they are fucking doomed.

1. http://attrition.org/errata/ Yeah, journalists are sure on top of
things.

2. Based on #1, security professionals would be telling their clients
a complete load of shit that had no foundation in reality. "Yes, this
IDS system will protect your entire enterprise wide organization, keep
HR out of Engineering, stop all your modem dialup problems, and
prevent every employee from being social engineered because they were
dimwits. Honest."

> of the future won't tolerate messages that aren't highly relevant
> to them and will filter them out. So, lesson three is
> storytelling.

Lesson three is NOT storytelling. Security consulting often involves
auditing of one type or another. In audits, you don't get creative or
wordy or beat around the bush. You find problems and provide
solutions. If your argument is that security professionals give crappy
documentation in their work, then say that. But don't recommend that
they resort to story telling as a solution. Leave that to the security
professional turned journalist for a day.

> Assuming that the security curriculum has been created and taught,
> the third question becomes, "Has the organization tested various
> audiences against that curriculum?" Again, we find that less than
> 10% do so.

And this is the fault of the security professional? How many time are
we asked to audit or secure a system, write a policy or something
else, only to find out that our recommendations were not followed up
on for various reasons? They run out of money, made their boss happy,
satisfied legal by meeting some minimal demands for security, who
knows. Do you think that security professionals hand over a security
policy written to customer specs only to say "thanks for the money,
file this away and be sure not to follow it!"?
 
> Three months later, we returned to that 91% and asked, "Have you
> become more active in designing and implementing information
> security and privacy programs?" Ninety-five percent said no.
> Executives endorse the theory and concept of security and privacy,
> but they don't walk the walk.

And this the fault of the security professional how?

And could you cite this survey please? I couldn't find it on the
Guardent web site. I did find this "gem" of an example though (4):
http://www.guardent.com/pr2001-06-25-01-GEM.html

This sounds exactly like what you are speaking out against. You want
to put all that in plain English?

> Thornton May is corporate futurist and chief awareness officer at
> Guardent Inc. in Waltham, Mass. Contact him at
> thornton.may () guardent com

What a complete disappointment.

Being with Guardent, I am just SURE that you and your firm isn't like
the bad guys you talk about above right?


(1) I made this number up so we can both quote studies to back
    our argument. Like you, I won't provide a full reference.
(2) See number 1 hombre.
(3) And all security professionals are not journalists obviously.
    Hypocrite.
(4) ha ha i kill me with these puns



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.