Tuesday, January 21, 2014

It's Time For Optimistic InfoSec

I'll wager that you rarely come across "Information Security" placed in close proximity to the term "Optimistic". In fact,  it often seems that these terms are almost magnetically charged to repel one another. While you might see articles about enthusiasm over security budget increases or the effectiveness of some security technology, we rarely witness public optimistic proclamations or "high-five" celebrations in the Information Security community of practice.

Some of The Reasons For This Include

1. Information Security News Is Invariably Bad
The big InfoSec news stories are (always) bad. The development and stories from 2013 were certainly no exception.

2. IS Professionals Get Paid To Think Negatively 
A large part of the job in InfoSec is necessarily anchored to a certain patterns of negative thought.  We have to make it a habit to consider the worse-case scenarios, how to break things, and ways to subvert good intentions.  We are at our best "constructively negative".  This isn't a bad thing; It is actually one of our great strengths if we can avoid certain pitfalls. (more below).

3. Pessimism Often Feels "Safe"
In a time when there is so much focus on what isn't working right, it takes a good bit of professional courage to go against the grain.  If you're optimistic/positive about something and things work out well then that is one thing.  If however you've expressed optimism and something goes wrong, then we tend to view this as a type of failed professional prognostication.

Reclaiming Optimism

Of course, Infosec must remain"constructively negative" in terms of evaluating risks;  however, we also have to make sure that the inertia of this habit along with the barrage of negative news doesn't bleed over into how we view the professional mission of Information Security.  When you tune into to some of the InfoSec echo-chambers, you often hear a great deal of frustration laced generously with sarcasm on just how bad things are or what someone did wrong.  It's understandable that everyone occasionally needs to vent; however at time period, when Information Security has become a central concern for individuals, businesses, and governments alike, we also need to project attitudinal leadership through constructive expressions of what we are doing right, what we are able to improve, and most importantly how we will continue to cultivate realistic balances of risks and opportunities in cyberspace.

Critically, this is not the same as saying that we need to put on rose-colored glasses to just make us feel better. Things are tough; All of our favorite asymmetries are still in play: rate of complexity increase vs accurate risk modeling , offensive vs defensive investment thresholds, threat adaptation vs defensive evolution.

However, the kind of optimism that we need however is one that acknowledges these challenges but doesn't hide behind them.  This type of attitude represents a forward-looking stance that purposefully seeks opportunities to recognize and support the good things we've done, actively encourages live-wire enthusiasm to seize new opportunities/innovations, and maintains the requisite tenacity needed to stay in the fight to make things better.

Four Very Important Reasons For IS Optimism

If the news from 2013 left you feeling a bit down, here
are four significant reasons for considerable optimism:

1. We Win Every Day
For every new story and issue that we encounter, we prevent, detect, and deter truly vast amounts of attacks and proactively find and fix a large number of issues.  You can tend to begin to see this as "background noise"; however, if it wasn't for good security efforts and practices this "background noise" would be the den of catastrophe.  We are doing good work every day to protect the commonweal.

2. We Are In It Together
There is much more collaboration and information sharing occurring in and among varied Infosec communities.  There is a plethora of material of reference and training material that folks have freely shared. There are also so many folks willing to help one another through free exchange of ideas and lessons learned.

3. We are Innovating Like Crazy 
The amount of security innovation is at an all time high; If you look at the projects, free tools, and products on the market it is amazing how many great ideas are out there.  This innovation is not just confined to software either; We also have the capacity to innovate new defensive methods,  assessment processes, and services to contextualize the way the do security above and beyond mere compliance.

4. We will not Surrender
The folks that I respect in this field all have stories of rough days/weeks/months, but they have never quit or walked away.  Even rough spots are opportunities to learn, adapt, and come back stronger. Security issues may not be going away anytime soon, but on a positive note neither are those who are truly committed to make things better. Continual learning and persistence -- The greatest defensive weapons in our arsenal.

What things are you optimistic about in Information Security? What are we doing really well? What opportunities do you see on the horizon in 2014?