Home > Risk Management, Uncategorized > Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

These criticisms of cybersecurity and risk management are nothing new. You’ve heard them all before, or muttered them under our breath. If you are a business executive, you’ve shaken your head when you’ve seen it. And if you are a security professional, you’re guilty of more than one.

  • “I hate security.” love-hate-security-2014
  • Much of what passes as security is no more than window dressing, or, as Bruce Schneier has called it, Security Theater, with its posturing, phony controls and security guard bravado.
  • Not a week goes by that a CIO or other executive hears a pitch from a security vendor, whose eyes are bugged out as their words ooze fear, uncertainty and doubt.
  • Security directors, including some of the most esteemed CISOs, can be seen from time to time running the halls, arms flailing overhead, screeching “The sky is falling! The sky is falling!”
  • Risk management experts talk for hours about the “fuzzy logic” of measuring impact and likelihood, using game theory, and generally talking until the audience goes numb.
  • And when the big one happens, when the big data breach hits, as it inevitably does, security pros and business executives alike point fingers at budgets, and internal politics, and vendor missteps for blame.

So I am here to give you the straight dope. To address all of these complaints once and for all. To put the discussion to rest so we can all move on.

Security is all those things.
Security IS often mere theatrics.
Vendors DO commonly sell FUD in place of value.
Risk management experts DO often employ pseudo science “to definitively calculate” intangible and unknown risks.
CISOs DO sound like Chicken Little when they predict the things we simply aren’t prepared for and need more budget for.
And security pros DO like to find a scapegoat.

All of these things are true, and security deserves its criticism.

I personally, however, look at it differently. Security is something special to me. For example, when I see a CISO work his or her way out of a messy data breach by responding quickly, limiting impact, and recovering smoothly–it gives me a very satisfied feeling.

Moreover, when I think of my own career as a security professional, I think of the truly costly and damaging attacks that we’ve avoided by working hard to improve continuously.

In the early 1990s I worked at a financial institution in Chicago. We got hacked–before we even had the word “hacked.” The bulletin board server was fine yesterday, but today it isn’t, and the audit log is gone. As we scratched our heads an ol’ timer leaned over us and said, “Looks like you got a security problem with your computer.”

I was stunned. I had never considered security and computers in the same thought before. My father was a locksmith, and I had worked my way through college and grad school at the University of Chicago with my own locksmith company and building PC clones on the side. So when I heard those words, a light bulb went on. I thought to myself, I know security, and I know computers. Right then I began retooling for a career in computer and network security. Right place. Right time.

So security gave me an entree into the world of the fledgling Internet, and into the world of creating value for the business in ways I never could have imagined before that fateful day seated cross-legged on the floor, under a desk, staring blankly at the back of a bulletin board server.

Security also did much more than that. It solved real problems. From the script-kiddies of the ’90s to the state sponsored hacking of the 2000s, security gave hundreds of professionals an opportunity to fight in very foreign territory–guerrilla IT warfare. We created a new way of operating the Internet, and we opened doors permitting businesses to create value and revenue in new ways. For example, the security community put its collective head together limiting loss sufficiently to make online commerce (once called e-commerce) a reality.

Converged approaches to physical and cyber security for the decade beginning 2001 created an amazing new world of inter-networked security cameras, intrusion detection, gates, fences, locks, employee ID badges, laptops, personal devices, and home automation controls. Everything was suddenly networkable because the basic questions of authentication and authorization (who are you? and, what are you supposed to do?) were answered by security professionals.

Today, we are coming up with clever ways to extend the work we did previously and apply it to the Internet of Things. Soon, we will see alternatives to keys and locks being used widely in the secure networking of any and every common device at home or sensor on a locomotive. Homes will operate more efficiently and businesses will make countless billions in new revenue because of IoT. This is possible because the security industry truly is doing its best.

Does security have its foibles? Is it security theater laced with FUD, bad logic and blame? Yes. But does it create value that outweighs its sometime silliness? Yes it certainly does. For me personally, it has provided me many benefits and opportunities, making me a better philosopher of technology, a better technologist in general, a better citizen of the world, a better provider for my family.

So the next time you sit through another ridiculous vendor pitch about all the bad things that will happen if you don’t buy their product, use your phone to securely transfer funds at your bank, or buy a gift for your kid on Amazon, or plan the next product launch with confidence that the security pros have your back.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: