IT is about executing predictable business processes.
Security is about reducing the impact of unpredictable attacks to a your organization.
In order ot bridge the chasm – IT and security need to adopt a common goal and a common language – a language of customer-centric threat modelling
Typically, when a company ( business unit, department or manager) needs a line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.
Similarly, when the information security group needs an anti-virus or firewall, security staffers will make some requirements, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.
Things have changed – both in the IT world and in the security world.
Web 2.0 SaaS (software as a service) offerings (or Web applications in PHP that the CEO’s niece can whip together in a week…) often replace those old structured systems development methodologies. There are of course, good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is buggy software.
Buggy software is insecure software. The response to buggy, insecure software is generally doing nothing or installing a product that is a security countermeasure for the vulnerability (for example, buying a database security solution) instead of fixing the SQL injection vulnerability in the code itself. Then there is lip-service to so called security development methodologies which despite their intrinsic value, are often too detailed for practioners to follow), that are not a replacement for a serious look at business requirements followed by a structured process of implementation.
There is a fundamental divide, a metaphorical valley of death of mentality and skill sets between IT and security professionals.
- IT is about executing predictable business processes.
- Security is about reducing the impact of unpredictable attacks.
IT’s “best practice” security in 2011 is firewall/IPS/AV. Faced with unconventional threats (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines), IT management tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.
Threat modeling and analysis is the antithesis of installing a firewall, anti-virus or IPS.
Analyzing the impact of attacks requires hard work, hard data collection and hard analysis. It’s not a sexy, fun to use, feel-good application like Windows Media Player. Risk analysis may yield results that are not career enhancing, and as the threats get deeper and wider with bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.
There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of customer-safety oriented.
Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?
Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.
Around this common challenge, I propose that IT and security adopt a common goal and a common language – a language of customer-centric threat modelling – threats, vulnerabilities, attackers, entry points, assets and security countermeasures. This may be the best or even only way for IT and security to traverse the valley of death successfully.