All The Wrong Ways to Think About Information Security — #4: 'Fossils & Futurists'

This is the fourth entry in a series of articles where I do a tour of the various ways people think about Information Security, talking about each one and their strengths, weaknesses, and symptoms. The reason why this is worth doing was covered in the ?Introduction to the Series.

This time it's a two-fer: two opposing approaches, each of which are wrong because it takes a healthy tendency and over-does it to the point of damage. They're a pair because they veer off in opposite directions.

Name: Fossils & Futurists

Description:

Fossils are those who got into Information Security years ago, learned and grew until they felt on top of the issues, and then stagnated while the world continued to change beneath their feet. They hear the incessant talk about transformation and revolution, but the Fossil is a reflexive skeptic, and believes that 49% is vendor smoke-and-mirrors and 49% has been seen before, and that the mark of true maturity is to ignore all that noise and concentrate on the fundamentals.

Their mirror-image, the Futurist, couldn't be more different. This person is acutely aware of the reality of this rapid change—they're entranced by it—and wants nothing more than to talk about the applications of AI/ML to Information Security, and how to handle quantum computing's threat to trapdoor functions in asymmetric encryption, and so on.

The Appeal of these Ways of Thinking:

These two diametrically-opposed ways of thinking each make some very valid points. That's why they're flawed: not because of what they include, but what they exclude: the valid points of the opposing camp.

The Fossils are absolutely right in a number of key respects:

1. Many (most?) of the most serious and endemic issues in InfoSec have to do with boring old-fashioned things like basic hygiene (patching, least privileges, simple visibility, attack surface minimization, etc.). These are things where there is no real mystery, no profound new lessons to be learned, just old lessons to be taken seriously and actually executed on.
2. There is a lot of superficial newness and smoke-and-mirrors in InfoSec, and a cynical filter that says "I'll listen to you if you're still around next year," is invaluable.
3. The technology industry has a long and inglorious history of failing to learn the lessons of history, instead declaring something new when in fact we saw it (wearing slightly different clothes) twenty years ago, and thirty years ago, and.... For example, the IoT world is one where we (as a civilization) seem deeply committed to digging up every horrible screw-up we ever committed on SCADA, and reproducing them on a grander scale.
4. If you take a look at the post-incident analysis of most major breaches, one repetitive theme that emerges is "That's what took them down???" Ninety-nine times out of a hundred, the failure mode involved something boring that was called out in InfoSec manuals of twenty years ago. There's a really strong case to be made along the lines of "You aren't going to be killed by ninjas or killer robots. Worry about diabetes, drunk drivers, and step-ladders."

The Futurists are also absolutely right in a number of key respects:

1. Technology is changing rapidly, but more importantly, the role of technology and data has already changed. It's pretty obvious that any mindset that formed in an era of "Those kids will deface my website if I let them," needs to be updated now that it finds itself in a world of "Most of our economic life and physical infrastructure is accessible on-line, and there are billions of dollars to be made by organized crime".
2. There are a thousand examples of how the foundations of our technical world have shifted, but to give just one: the old-fashioned paradigm of "the perimeter is my moat, and if I do it right, I'll be safe inside," is profoundly and fractally wrong in a world of API-driven interconnections and 'ecosystem' business models. If you built an impassible moat around you in 13th-century Europe, you're a Feudal Lord. If you do it in 21st century New York, you're a nut-job.
3. InfoSec is fundamentally a war and an arms-race, and, as I've talked about elsewhere, the fundamental characteristic of arms-races is their constant shifting and evolution. If one side of that battle simple fails to embrace that constant shifting and evolution, they lose.

Above and beyond the valid aspects of the Futurist mindset, some strong additional appeal comes from:

1. Futuristic thinking is fun, interesting. and ever-fresh; and
2. The Futurist mindset is much more likely than the Fossil to be lauded as 'visionary' and 'strategic' and so on, and to attract every social reward, from public attention to venture capital.

Problems With These Ways of Thinking:

The main problem with these mindsets is that because each captures some genuine truths and insights, they're clearly wrong if/when they actively ignore the virtues of the opposing mindset. Fossils who ignore the valid points made by Futurists are wrong, and Futurists who ignore the valid points made by Fossils are wrong.

Fossils who ignore "the Futurist lesson" are like the First World War generals who were ready to fight the last war, and were profoundly unready for the war they actually found themselves in. Futurists who ignore "the Fossil lesson" are likely to have superficial successes and popularity, until they die from something boring and predictable.

Symptoms:

Fossils are (by definition) old-fashioned in their thinking, so are more likely to be technically-focused, and more ready to think of InfoSec in terms of firewalls and cryptography, account management and syslogs. They're more about fundamentals like patching and asset management, and likely to be actively dismissive of any talk about things like machine-learning, quantum computing, or blockchain.

They're also more likely than most to be dismissive of (or to at least downplay) things that are real but 'recent', like the move of users to mobile platforms, and IoT, software-defined networking, agile development, and even the Cloud. This could be because these things were vaporware not that long ago, and the Fossils were busy polishing their skepticism instead of running to catch up.

Futurists are likely to talk more than most about things like machine-learning, quantum computing, quantum encryption, blockchain, and so on. In contrast, they're more likely to neglect the 'boring' things like patching and asset management.

What Would a Better Approach Look Like? 

This one is pretty obvious: these two modes of thinking each fail because they commit too hard to one mind-set and ignore the valid points of the complementary perspective, so the cure to each disease is to embrace them both and steer a middle-course. The truth is that the industry is full of vendor fluff and transient fashions and at the same time is also undergoing constant fundamental transformation. People need to focus consistently on basic hygiene and fundamentals, and at the same time need to be constantly aware of powerful new threats and powerful new tools. It requires an ongoing effort because it's a balancing act.

Recommendations: 

1. Set an explicit obligation on the security org to walk this middle-path: deliberately focusing on fundamentals and hygiene and not being too fashion-conscious, but at the same time keeping an eye on the future and not being too faithful to the past.
2. Impose a discipline whereby you carve out time (or, for larger groups, possibly even roles) to make sure that each mindset is actively represented. Have someone tasked with actively, consciously, and consistently asking the questions about basic hygiene and the lessons of yesteryear, and playing the role of skeptic regarding the latest trend and emerging technology. Also, have someone tasked with actively, consciously, and consistently asking the questions about how the game has changed, what 'classic answers' have stopped working or are losing relevance, and what opportunities are coming down the pike. In a larger organization, it can be a nice touch to role-reverse: have individuals who are intrinsically conservative/skeptical be involved in the future-watching, and having some novelty-seekers tasked with identifying and promoting the hard lessons learned from the past.
3. Keep in mind that there is a certain asymmetry here: the modern world is more friendly to Futurists, so it's the Fossil mindset that needs a little more nurturing and protection.
4. One analogy I've used in the past to temper the enthusiasms of futurists (including myself, to be honest) is the following: "If you're running a hospital, you don't get to talk about tele-presence surgical robots and CRISPR until you're really damn sure that everyone is washing their hands and throwing out used needles".

 ------------------

Previous Entry in Series: Wrong Way #3 - The All-knowing Hacker

Next Entry in Series: TBD

------------------

?Disclaimer