In 1972 I was in the south of France. I had eaten some bad fish and was in consequence rather ill. As I lay in bed I had a strange recurring vision, there, before me, was a concrete building like a hotel or council block. I could see into the rooms, each of which was continually scanned by an electronic eye. In the rooms were people, everyone of them preoccupied. In one room a person was looking into a mirror and in another a couple were making love but lovelessly, in a third a composer was listening to music through earphones. Around him there were banks of electronic equipment. But all was silence. Like everyone in his place he had been neutralized, made gray and anonymous. The scene was for me one of ordered desolation. It was as if I were looking into a place which had no heart. Next day when I felt better, I went to the beach. As I sat there a poem came to me. It began ‘I am the proprietor of the Penguin Cafe. I will tell you things at random.’
Monthly Archives: January 2013
Does your company actually need a security department?
Gunnar Peterson prompted us yesterday in Dark Reading with this provocative question:
Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no
It’s easy to agree with Gunnar when you read his analysis. He offers a false dichotomy fallacy.
Standing up a choice between only awful pointless policy wonks in management and brilliant diamonds found in engineering, it’s easy to make the choice he wants you to make. Choose diamonds, duh.
However, he does not explain why we should see security management as any more of a bureaucratic roadblock than any/all management, including the CEO. Review has value. Strategy has value. Sometimes.
The issue he really raises is one of business management. Reviewers have to listen to staff and work together with builders to make themselves (and therefore overall product/output) valuable. This is not a simple, let alone binary decision, and Gunnar doesn’t explain how to get the best of both worlds.
A similar line of thinking can be found by looking across all lines of management. I found recent discussion of the JAL recovery for example, addressing such issues, very insightful.
Note the title of the BBC article “Beer with boss Kazuo Inamori helps Japan Airlines revival”
My simple philosophy is to make all the staff happy….not to make shareholders happy
Imagine grabbing a six-pack of beer, sitting down with engineering and talking about security strategy, performing a review together to make engineers happy. That probably would solve Gunnar’s concerns, right? Mix diamonds with beer and imagine the possbilities…
Inamori had interesting things to say about management’s hand in the financial crisis and risk failures in 2009, before he started the turnaround of JAL
Top executives should manage their companies by earning reasonable profits through modesty, not arrogance, and taking care of employees, customers, business partners and all other stakeholders with a caring heart. I think it’s time for corporate CEOs of the capitalist society to be seriously questioned on whether they have these necessary qualities of leadership.
Gunnar says hold infosec managers accountable. Inamori says hold all managers accountable.
Only a few years later JAL under the lead of Inamori surged ahead in profit and is now close to leading the airline industry. What did Inamori build? He reviewed, nay audited, everything in order to help others build a better company.
An interesting tangent to this issue is a shift in IT management practices precipitated by cloud. Infrastructure as a Service (IaaS) options will force some to question whether they really need administrators within their IT department. Software as a Service (SaaS) may make some ask the same of developers. Once administrators and developers are gone, where is security?
Those who choose a public cloud model, and transition away from in-house resources, now also face a question of whether they should pursue a similar option for their security department. Technical staff often wear multiple hats but that option diminishes as cloud grows in influence.
In fact, once admin and dev technical staff are augmented or supplanted by cloud, the need for a security department to manage trust may be more necessary than ever. This is how the discrete need for a security department could in fact increase where none was perceived before — security as a service is becoming an interesting new development in cloud.
Bottom line: if you care about trust, whether you use shared staff or dedicated services, dedicated staff or shared services, you most likely need security. At the same time I agree with Gunnar that bad management is bad, so perhaps a simple solution is to build the budget to allow for a “beer” method of good security management.
I recommend an Audit Ale
This style had all but disappeared by the 1970s, but originated in the 1400s to be consumed when grades were handed out at Oxford and Cambridge universities…. At 8 percent ABV, it has helped celebrate many a good “audit” or soften the blow of a bad one.
Aubade
by Philip Larkin
Alt Career Advice: Go Make Mistakes
When I was young I occaisonally received advice from friends and family, often academics with colorful and distinguished careers, to drop out of the normal paths offered to me and instead find myself before I took a job.
One particular sunny summer afternoon at Kansas State a tall lanky Anthropology professor named Harald, with wild gray hair who had a tendency to get over-excited while speaking, looked me over and asked “now that you’ve graduated what will you do with yourself”?
I forget how I answered. I am not sure I even had a chance to speak before his bright blue eyes grew wide, he sucked in a deep breath, wagged a finger and bellowed in a thick Dutch accent “you should go west to the ocean, jump on a ship as a deck-hand headed for New Zealand or Australia, and get a job working with sheep! Just be careful and make friends because if someone dislikes you they’ll throw you overboard and…”
The first thing that flashed in my mind was the irony of being told to chase my own dreams and then being given a dream to chase. I since have learned this is a clever management trick: “Bob, you’re in charge of this project. Now listen to me as I tell you how to run it.”
What Harald really meant, it soon occurred to me, was that I should use the time of my youth to explore, to discover, to make controlled mistakes, to recover and learn from them (recover being the operative word — don’t get thrown overboard). This seemed like age-old common advice and that is what I did. I would recommend the same to everyone.
This story came to mind when I read Moxie’s latest blog post. Although I found myself nodding my head a few times, he also said a few things about risk and judgement that I tend to disagree with.
More to come later…