Defining INFOSEC

The below excerpt if from this LinkedIn question. I was attempting to point out that we already had the tools and methods we needed to do our jobs if we only took the time to realize what our jobs actually were.

I love the saying "There is nothing new in the world, just different perspectives." INFOSEC is no different. We are grappling with the age old impact of human nature at it's worst. Greed, Malice, Hate, Envy, Spite - age old threats to any human endeavor. I once had a debate with another INFOSEC professional who was arguing that our industry had failed because we weren't *secure* yet. I ask you how can you secure something without changing human nature? After centuries of working on the same issue we still find the need for police, should we say we have failed because there is still crime?

As INFOSEC matures we will realize that we are not something new or special. We are just facing the same dark side of human nature expressed through different tools. Now we can sit here feeling special grappling for new ways to deal with the issue or realize that similarities and apply centuries of progress to the issue and go with what already works.

So what are we to do? First off dump that INFOSEC moniker, there is no such thing as security since there is no such thing as being "secure." All we can do is effectively and efficiently analyze and manage risk. By reducing the opportunities for crime to happen we can reduce the risk of loss. Again, this is a human psychology issue, we have to deter the criminal from bothering us. I refuse to speak in INFOSEC best practices. I view my job as risk management and loss prevention. While it isn't sexy as thinking of my job in sames terms of a security guard, my responses are more effective that way. Now if only that CD drive would hold donuts ....

How should best practices be developed, who should be involved, and how are they shared in a manner that will make them most credible?

My answer to the question was long and rambling.

Your question assumes that these decisions are best made using a top down organization where certain select few experts decide what should and shouldn't be. I am not going to debate that point; I just want to highlight a hidden assumption and offer a different way.

Humans as a species work from a bottom up thought process. We, as social animals, watch and emulate others. We form opinions of others based on our past experiences with them or through a network of trusted opinions of others that we call someone's reputation. When someone who's reputation you respect offers an opinion about a way of doing something you will at least consider it. The idea itself has a certain fitness depending on its ability to solve the problem at hand. The ideas that are the fittest tend to get passed on and those that don't - don't. The fitness of ideas that people recommend operate in a feedback loop effecting the reputations of those that pass them on; those individuals that consistently pass on fit ideas gain a reputation as an expert in their field, etc. Since human society is a scale free network; certain ideas hit a tipping point of acceptance where the aggregate reputation of the individuals passing on the idea out ways any fitness of the idea itself. e.g. the increase to my reputation when I pass on a fit idea is 1 to 1 while the potential decrease to my reputation by passing on an unfit idea is 1 to n where the loss in reputation is diluted among everyone passing on the idea. This effect could be seen in the sayings "No one ever got in trouble recommending IBM" that became "No one ever got in trouble recommending Microsoft."

So what are best practices? They are nothing more than the collection ideas that have exceeded some threshold of saturation in the scale free network of human society. Does that make them good? Sure, they at a minimum survived and out competed the competitor ideas that died off. The whole survival of the fittest thing. Are they the best solution to your specific problems? I wouldn't bet on it.

The answer isn't to decide who should create best practices. The goal is not to base your security program on them. Your program should be based on a sound risk management framework that objectively measures the risk that business decisions have and select the fittest controls to reduce the risk to acceptable levels.

I am a convert to the Factored Analysis of Information Risk (FAIR) framework. Measuring and selecting solutions based on actual needs is always better then playing the keeping up with the neighbors game.

My fundamental point I keep making is that this computer stuff isn't new. All we are doing is continuing the same old human nature with new tools.

Blog restart

Well, after a long absence I plan on restarting this blog. For those of you not using LinkedIn, I have been spending my energy answering people's security questions in their forums. I plan on taking some of the questions and my answers that I found interesting and reposting them here. Stay tuned.