cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rsequeira_b
Newcomer I

Security Wisdom or Security Knowledge?

Security Wisdom or Security Knowledge?

I have often asked myself the question, “How does an organization make decisions when it comes to implementing preventive controls for IT Security?” This post is all about preventive controls and in no way reduces the importance and necessity of detective and reactive controls.

The most likely answers which come to my mind are

  • Based on security theory
  • Based on security practice
  • Based on subjective or objective assessment
  • Based on the information at hand or the security context
  • Based on pure technology
  • Based on the recommendation of a vendor or external consultant
  • Based on Government regulations or laws
  • Or a combination of two or many of the points above

Would, implementing certain preventive controls make the organization, “Feel Secure “or “Be Secure?” Feeling secure could be a feeling while being secure should be a reality. Implementing a Firewall could give the organization the feeling of being secure, while in reality this could be far from the truth. The organization could be secure from certain threats and vulnerabilities, but not against a government or state-owned entity who might have the means and technology to break through the firewall.

This throws up additional interesting questions: Secure against what, and secure from whom? Is the firewall a preventive control against all threats, bad organizations and people out in the dark? We could debate on the merits and demerits of these questions and provide arguments for and against. However, I would want to address the larger question which comes to my mind:

Are decisions to implement preventive controls based on Security Knowledge or Security Wisdom?

Knowing that a tomato is a fruit is Knowledge. Knowing not to put a tomato in a fruit salad is Wisdom. Better still, Wisdom is the knowledge applied with some common sense.

Of  the eight points I raised above, all these would come under the realm of knowledge as we are dealing with facts and ideas that are acquired through studies, research, investigation , observation or experience. Knowledge changes as the understanding changes.

Security Wisdom would be the ability to discern and judge which aspects of that knowledge were true, right, lasting and applicable.

In other words, Knowledge is a tool and Wisdom is the craft in which the tool is used toward the creation of value. It is a well-known fact that humans are the weakest links of a security link or process. As a security professional, I strongly believe and feel that security is a collective responsibility. If the security professionals are to be made accountable for breaches, then it behooves an organization to ensure these positions are filled with persons with the right mindset.

In conclusion I would like to suggest the following:

  • Organization’s need to hire professionals with both Security Wisdom and Security Knowledge and skills
  • Hiring managers need to be capable enough of making this distinction
  • Courses and programs should test the wisdom of security professionals before they are hired
  • Security professionals should not be solely held accountable for a breach

 

 

Regards

Roshan Sequeira

Member- 62558

4 Replies
Deyan
Contributor I

Hey, need a bottle of Jack and a cigar for discussing this one frankly :). This is highly philosophical in my opinion but here are my 2 cents:

Bottom line - it all comes down 1) the organization realizes that its most valuable asset is the data and 2) external (legal/regulatory) requirements.

"Feeling secure" in my opinion is utopia.... sounds like "zero risk"....= impossible.

Implementing security controls has never been and would never be about "feeling secure" or eliminating risk - it's about reducing risk - it's not about making it impossible for intruders to breach - it's about making it as difficult as possible as frankly.... there is no environment that cannot be breached or "hacked". Building the security strategy should be driven by the "constant threat" principle meaning that one should assume that 100% their environment would be attacked. How sophisticated and complex the security strategy would be - is a matter of risk appetite, value of the data, finance and other stuff but is all coming from the organisation itself.

It is ridiculous to ask "from who should we secure our data" - especially for a big company with name and share on the market....

Badfilemagic
Contributor II

As Socrates said, the only true wisdom comes in knowing that you know nothing. To that end, true security wisdom comes from knowing that you are not secure, but only in varying degrees of insecure.

But seriously though, wisdom also being often described as “knowledge plus experience,” what I hear you saying is organizations should hire senior people who have been doing this a long time and put them into leadership roles. That, of course, is ideal. But what a lot of places want isnto be able to hire experienced/senior people and also fill lower tier positions with them as well. That leads to a few issues:
* burnout of senior folks faster
* not having junior people to train up creates the shortage of senior people in the future
* you can’t necessarily take an experienced analyst, plop them fresh into a differenr environment and expect “wisdom” right away in the new environment where the IT reality is different and therefor what may have been FPs st the previous job are now real alerts (for an example). There needs to be a bake-in time to rebuild wisdom relevant to the new terrain, like a survivalist needing to learn new plants before being dropped in the woods far from home.
-- wdf//CISSP, CSSLP
Caute_cautim
Community Champion

Very good insight.  But the reality, is most organisations would rather spend zero on security and controls, if they could.  Many put faith in cyber insurance, but once the first incident occurs, then they come back and put in clauses into their subsequent cover i.e. ISO 27001:2016 or evidence you have improved organisational controls.  Compliance costs are increasing globally, given that many organisations i.e. half of the Fortune 500 have disappeared due to factors such as digital transformation - this trend will probably increase.   It appears to be in the human psyche, to not invest or put the appropriate measures in place unless you really have too.   How high must the penalties actually rise too, before the majority of organisations take it seriously?

CISOScott
Community Champion

So I think  this is an evolving space. I did a lot of work for the US government. They used to operate on your model of feeling secure by implementing all kinds of checklists. Problem was that the checklists were very inflexible and did not take into account the situation and level of risk present. They also did not allow for making risk based decisions quickly. So in reality even though they felt secure they were not secure. Consider this make-believe scenario:

 

An Inter-Continental Ballistic Missile (ICBM) has just been launched and it will hit it's target in 35 minutes. Your base is the target. You can scramble F-16 jets that can intercept it in 5 minutes. The pre-flight checklist takes 30 minutes to complete. The regulations say you cannot launch a jet without completing the pre-flight checklist. The checklist makes you feel secure because you have not lost any jets so far by following the checklist; however if you do not launch a jet or multiple jets to destroy the missile, you will lose all of them. Unless someone makes a risk-based decision to forget the checklists and just launch the jets, the base will most likely be destroyed, which will include the jets.

 

So sometimes feeling secure means nothing when you are attacked. If you are receiving pushback on security spending just point out to the board how most companies can find millions of dollars after a breach happens and the leadership has been fired, but would have had to spend much less if they would have spent responsibly before the breach happened.