Leadership in an Ever-Changing World

The Road Goes Ever On and On...

A picture of the hills arount Saratoga, California.

(Originally posted on LinkedIn on September 30th 2014)

It is a Journey

What is security? How can I be secure? How will I know my systems are secure? I was compliant with the regulations, how was I able to be hacked?

Over the years these questions have come up in one form or another. Now the conversations have been with different people and in different contexts. At first I was a bit dismayed that we are still struggling with the concept of security but the more I thought about it the more I welcomed the opportunity to address this topic.

We are what we repeatedly do. Excellence, then, is not an act, but a habit.~ Aristotle

Let’s face it, most, if not all, of us are results oriented people. We like to have tasks with a clearly defined start, clearly defined milestones, and a clearly defined ending. The problem is that information security doesn’t fit this model of the world. It isn’t so much a state as it is a state of mind.

I personally don’t believe there is any such thing as a secure system and for a while there was pretty much consensus among the people I knew. That was until I was sitting in a meeting the other day with someone who said: “We can make your systems 100% secure, the problem is that it is cost prohibitive.” Needless to say I don’t agree with statement. The amount that you spend on information security should be commensurate with the value of the information being protected. As I said before Information Security isn’t so much a state as it is a state of mind.

We can do all the right things but there is still no guarantee that our systems are, or ever will be totally secure. At any time we may fall victim to a zero-day exploit or a malicious insider or simple user error. We can implement technical controls to limit this possibility but we cannot limit it all together. It just isn’t possible.

Let me leave you with two quotes. The first is from Dr. Eugene Spafford of Purdue University.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

~ Dr. Eugene Spafford

And the second, may be original. I’m not sure if I made this one up or if I heard it somewhere. I’ll claim it for now but if anyone can cite another source please let me know. Either way I think it is an accurate depiction of our goal to seek a totally secure system.

Imagine a line with a point on either end. Point A is a totally insecure system and Point B is the theoretical totally secure system. As we start our journey from Point A to Point B the furthest we can travel is half the distance. That is the best we can do so we travel half way, then half way again, then halfway again. If we keep going half the distance between where we are and Point B we will never actually reach Point B. Granted we are a lot closer than we were when we started but we still never reach our destination. Since we can never really reach our destination we must focus on the journey itself. Information Security is like that.

~ Graydon McKee