I would like to use the blog approach to begin generating tools that make information security decision making easier. There is very little evidence of scientific method usage in information security decision making, including cyber security. Security is a black hole for resources and we are pouring money and potential talent in. We do things like waste money on products that we don’t know if they work or not. We partake in and sponsor educational programs that we don’t know if they are effective. We write policy that we do not know if it will work. We pretend and say things like “there isn’t enough data to do anything but guess for now”. Then we complain about “falling behind”, we turn down real cyber talent because we defined a bad criteria to begin with, and then we claim “critical shortage and cyber talent”. We’re wrong and we always will be wrong. But we’re not accepting that and approaching the problem with the goal of being the least wrong.
Bullshit security solutions, appliances, managed services, frameworks, and methodologies are dominant right now. When you hear “cyber security is hot right now”, what they are really talking about are the steaming piles. Most of these are simple or complex blackboxes. Some involve quantitative steps but are quickly becoming textbook examples of bad statistics.
My experience started as an associate risk analyst. I worked with several of the “big 5” consulting firms and forerunners to establish an enterprise risk management program. The risk assessment methodology being used was “ordinal”. They provided risk estimates in the form of a number between 1 and 3 or colors like red yellow and green. Assessment was and still is majorly based on the pseudo-scientific model known as the “rational model”. You’ll find it in common intro to business decision making textbooks. Today the “rational model” is an approach that reached beyond MBA students. It is also recommended by industry standard guidance and organizations (NIST, COBIT, FFIEC, etc). This is bad. This is the method used for national security, critical infrastructure decision making, financial risk, and many more highly influential groups. When organizations are asked by regulators to “assess the risk accordingly” in order to be compliant, they grab the nearest solution. They do the equivalent of clicking on the first “featured” Google search results at the top of any google search (The guy’s that paid the most to be there, typically including complementary adware downloads). Some choose methods that are ready, available, featured, inexpensive, and simple. Others exercise more scrutiny and have information security, cyber security, and business intelligence consulting firms come in and present. Whoever makes the most compelling presentation of their services wins the contract. Both approaches are negligent business practices and examples of backwards business decision making where we try to find solutions before we clearly define what our problems are.
Every professional service provider starts off much like I do here. You shit on the competition, you describe the flaws in the methods your target audience is most likely using. Then you promise either the “real” way to do it or the modest diplomatic “better” way to do “risk”. Now I explain to you how different I am and my products and services are. Fortunately for you, I am not selling products and services. I’m an information security professional with a job just like you who wants to put together the best approach to information security decision making. This is where I try to seem relatable to you, the target audience, but then pull a fast one and ask for money or your email address so that you can download the smart sounding whitepaper my firm’s latest underpaid intern wrote.
I’m doing this blog for myself. The stone-age approach to information security decision making and risk management fuels a powerful anxiety in me that I have a hard time containing. Writing this blog is a kind of therapy for me. Fortunately, the therapy for treating bullshit induced anxiety is the truth-seeking dialectic otherwise known as education. I want to create open-source solutions and I want equally critical readers to contribute. Together we can treat my anxiety and come up with real solutions.