Around Thanksgiving time in the U.S., I usually take a minute or two between football overload (like that's possible) and binge eating to reflect on the year. It's hard to believe folks are putting holiday decorations up, and we're in full-fledged planning for 2013. Didn't 2012 just start? Uh, I guess not.
The only thing funnier than the onslaught of 2013 predictions that will overflow my inbox over the next few weeks is the folks giving thanks. We are security people. Our job is to look at a situation and figure out how many ways your organization will get pwned. We look for the worst and try to prepare for it. There are some unique individuals who are optimistic pessimists and can see light at the end of a brutal incident response. Or they use the reality of a public breach disclosure as a catalyst for change. The rest of us grumble through our day and wait for the other shoe to drop.
This month, let's give thanks to the other side of that equation. If there weren't bad in the world, we security folks wouldn't have anything to do. We wouldn't be able to appreciate the few times a user doesn't click on that link, or download that file, or install that malware. We may not win a lot, but we shouldn't gloss over the good that happens to us.
First, let's give thanks to the attackers and organized crime syndicates and nation-states footing the bill. Without those folks pushing the envelope on innovative attacks, we'd still be using firewalls and antivirus as the leading controls to stop advanced attacks. Wait, what? OK, never mind.
Though how much fun will it be when all of these folks being trained by nation-states to break into stuff make their way into the commercial markets? On both the good and bad sides. It'll be a lot of fun to clean up the mess when a cyber-ninja takes down a competitor inadvertently because, well, that's what they do. The idea that we'll ever get ahead of the attackers, well ... forget that.
Next, let's be thankful for PCI and compliance, in general. These mandates set the bar for security controls and pushed many organizations to do something to improve their security postures.
And for the most part, it has made a difference. The average organization did nothing about security five years ago. Now it does PCI, so that's a net positive. Let's also be thankful for the low bar that PCI represents. For those attackers just looking for low-hanging fruit (and there are a lot of them), anyone who thinks PCI is good enough is a soft target. Since that isn't you (right! right?), you should be thankful that there are organizations out there that make your security defenses look advanced.
Let's also smile on our good fortune that the compliance folks only think a prescribed control set needs to change every three years or so. Of course, nothing changes that quickly, so what's the risk of only mandating new controls every couple of years? Yeah, that's not going to work out very well for most of these organizations looking at the ROC as the end of the security journey.
We shouldn't forget the tech media that chases the latest obscure attack and creates a bunch of work for practitioners to ensure they aren't vulnerable to the latest TPM chip freeze attack, or other such nonsensical exploit. To be clear, there are times when making sure you've got a plan for a new attack vector is a good thing. But in an age of zero fact-checking, misplaced punditry, and news value success based on page views, if you are only getting your threat intelligence from the trade press, you're doing it wrong.
We also need to appreciate the increasing number of young people who choose security as a profession. They are studying in the mushrooming number of secondary education programs providing some training in information security. They take jobs to do the scut work that experienced folks don't want to do. These programs do a good job of teaching the fundamentals of attacking and protecting, but don't bother telling students that security is a thankless job ... which is good because if any of them knew what a security job was really about, they'd study Java or Rails, or something useful like cloud computing.
Speaking of being unappreciated, let's give a shout-out to our executives -- those folks who seem to have no problem remembering how to game the numbers to maximize their year-end bonuses, but can't seem to understand why they need to keep investing in information security. You know, those folks who believe that since a breach hasn't happened lately, they can reduce investment. Those are the folks who make the security job fun. And by fun, I mean like a root canal.
Of course, there aren't many other disciplines in today's economy with a negative unemployment rate. And few allow you to engage with smart adversaries and actually win sometimes. You don't find a lot of jobs where an organization suddenly gets religion and give you carte blanche to fix the problem. Nor will you find a lot of roles with a higher visibility than security right now.
So during the holiday season, as you and your teams are putting together plans for 2013, asking for money you know you won't get, and battling attackers you have little chance of stopping, just remember that you could have made a less fortunate career choice. Personally, I'm thankful that I live in interesting times, and that as long as people continue to steal from each other, I'll be able to pay my bills. And so will you.
Mike Rothman is President of Security and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio