27 April, 2007

Security By Self Delusion - Cont

In continuation of my Security by Self-Delusion and Transforming Negligence to Non-Complaince I have a few more thoughts.

The first is relating to attestation making senior managment feel good about their security profile.

Lets drop into another cheesy security analogy.

In many cases attestation is kind of like keeping a log of all of the times you drive the speed limit. It might make youself feel better but if you are managment you should be very wary. If a cop pulls me over for doing 80 in a 65 I doubt he will let me off because I show him a log of all the times I did 65. For that matter the judge won't be so impressed either.

Compliance can (and should) be used to drive improvement in security but managment and executives must not delude themselves into thinking they are secure because they have successfully passed an attestation stage.


Ron said...

HI Jim why not go a step further and extend into the realm of regulation.

Standards, best practice peer review and support and culture? a batter set of tools to use ?

Jake Brodsky said...

This gets in to what metrics one might choose for a regular, real-time security report. And once you find those metrics, you have a monumental education task ahead. Not only will you need to educate the managers, but the plant floor staff as well.

Then, as we all know too well, progress happens, we have to pick new metrics --and you have to do this all over again.

As with safety systems, we have to accept that a real system will have flaws and that some of these flaws may be more serious than we realized. That's hidden risk. Mind you, I'm not advocating doing nothing; however, we have to consider that we don't have an endless amount of time to continually analyze the impact of each and every new security discovery. At some point, we have to shut up and get some real business done so the bills can get paid.

Jim C said...

Your Right Jake it is always a ballance.