Security Ripcord

I just wrote an E-mail to Michael Santarcangelo of the Security Catalyst about his Security 2.0 initiative. Please comment if you have any input.  Also watch out for Michael to open the Security Catalyst Community soon.  You should also listen to the Security Roundtable if you haven't had the chance.

Go forth and do good things.

Cutaway 

*Edited slightly to clear up the early morning typos 

Michael,

    I finally got a chance to listen to your Security 2.0 podcast and the SRT #4.  I really think that you and the rest of the guys are addressing the issues that are core to the security fields.  In the past few years security has really taken off into its own space.  There are all kinds of new innovations and implementations that are really starting to drive a large portion of the industry.

   I believe that your Security 2.0 theory definitely has a place within the community.  I absolutely think that we are coming to a time when there will need to be a shift in attitudes towards how we are approaching security.  Not necessarily from the enterprise level.  We have a lot of that figured out in the defense in depth strategies and defensive solutions.  And what we don't have figured out we have plenty of capable people work on.  What I mean when I say change is there needs to be a shift our approach of combating (imagine me, working that word into the conversation the threat source.  I really like that term, threat source.  The exploitation of a vulnerability allows a threat to be initiated but it is the threat source that must take some type of action to set the situation in motion.  Human threat sources are really what is driving our industry, they are the demons to our paladins.  Insiders, disgruntled employees, script kiddies, criminals, terrorists, drunken louts, jealous wives are all common threat sources that we are generally familiar with but there is something that is missing from this equation.  Society and social behavior.  It is easy to say that Americans don't understand the rest of the world.  We are an isolated society with strong views and opinions.  So it is easy to say that American security experts do not fully understand the Russian or Korean threat source motive and methodologies.  What some people don't realize is that different society and social behaviors can be seen right around us.  For example, here in south Texas things, including business, happen at a slower pace than the east coast.  Another example is, and I am generalizing (which is part of my point) in Louisiana things are accomplished on a more tit-for-tat basis than the west coast.  People, I'm talking about the people we are working for, experience this far less then persons in our shoes because they, generally, stay close to home.  We, security professionals, on the other hand realize that we are "10 to 15 milliseconds from every scumbag on the planet" (quote from a guest on Pauldotcom) and we have to plan accordingly.

   How I think that Security 2.0 is going to help is that you, and the other security catalysts you enlist, are going to begin asking questions of people who are not necessarily main stream security or IT professionals.  I think that, as a society, we have seen this type of thing before when business started doing this in the 50's through the 70's (it hasn't stopped but I believe that this is where the major advances were made, I do not have examples, I am just going off a sense of advancement through American history).  And this is the type of direction a portion of the security industry has to walk if we are going to improve.  Yes we still need people developing protections but we also need people who are furthering the understanding of the threat source.  A perfect example is direction people like Bruce Schneier are taking us.  One of his recommendations to protect our society (and the world) from terrorism is to increase funding for prevention through education of the threat source, intelligence gathering, and behavior profiling instead of a rigorous set of controls that limit functionality and easy of use.  Of course, there is always going to be a place for protections from mistakes, misconfigurations, and laziness but to really advance we have to start looking outside of our industry and begin utilizing the research and resources that other professions and disciplines can provide.

   As to the SRT podcast on responsible reporting I think that the Security 2.0 approach is going to help us here as well.  With these types of experience we will be able to begin a fundamental shift in the thinking of management, the legislature, and the judiciary.  Only then will it be possible for us to move to an environment where people are not afraid to do the right and ethical thing.

Well, I have talked long enough.  Getting back into the writing mode has proved to be a little harder than I thought.  I am hoping that this will help me but I am also glad to hear people talking and advancing these issues.  I am looking forward to the progression of Security 2.0 and I am willing to help.

Take care and have a great week,
Don

Security Ripcord, Security Catalyst, Security Roundtable, Security 2.0

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.