4/6/04

Is Security a Black Art?

In his logoff column in Information Security magazine, Andy Briney opines that “As long as it remains a black art, security will be the enterprise’s black eye.” He writes, “Twenty years after Cohen wrote these words [“Current systems offer little or no protection from viral attack — the only provably ‘safe’ policy as of this time is isolationism,” in Computer Viruses: Theory and Experiment], we still haven’t got a clue how to stop viruses …” He then goes on to state a number of other things that I also believe fairly miss the mark.

Read his column (note, SearchSecure doesn’t maintain old archives; this takes you to iranscience.net). My letter to him:
I’m having a hard time matching your observations with the real world. For example, it seems to me, AV is the one thing we can do fairly well. You say “we still haven’t got a clue how to stop viruses…” Really? No clue? I think you are overboard on the exaggeration scale.

I don’t think our profession is “struggling to gain respect, credibility and funding.” There are solutions — old solutions — for current problems. Our jobs might be frustrating because enterprises focus on what I’ve called the Primordial Security Policy (in NetSec Letter #17), namely “Allow anyone ‘in here’ to get out, for anything, but keep people ‘out there’ from getting ‘in.'” They forget that securing the business is shorthand for maximizing the business while minimizing the risks. And this is always a compromise. They want it all, or — since you were in a cliche mood — they want to have their cake and eat it, too.

Is that a problem? A huge one. Is it fixable? I don’t know. Is it because we lack technology or process? Not at all. Funding will always be an issue, because it is a business decision requiring comparing cost vs. benefit. But the security practitioner remembers that it is not about *security*. It is about securing *business*. That, too, requires compromise.

No comments: