One of the rules we try to live by and inculcate with our clients is “don’t try or promise the impossible”. This is a simple and certainly not brilliant concept to avoid a path doomed to failure and frustration and wasted effort.
An example of failing to follow this rule was the pull quote from Michael McConnell, an EVP of Booz Allen Hamilton’s national security business and a former director of national security and national intelligence,. “The government’s role will change to become more active,” he said. “We’re going to morph the Internet from ‘.com’ to ‘.secure.'” He said this during a hearing of the Senate Committee on Commerce, Science and Transportation, see related article and video on Cnet.
This is related to the Advanced Persistent Threat [APT] meme that we have been blogging and talking about since S4. One of my questions at S4 was if APT was in fact persistent and you could not remove the threat from your network, what should an organization do? Shortening and paraphrasing Kris Harm’s of Mandiants answer, an organization should focus the cyber security resources on systems and data that are most important rather than spreading the effort across a large enterprise and achieving only the expected failure.
It’s all about prioritization and learning to live with reality. We do this with almost every other area of our personal and business lives with different expected levels of reliability and security. Why do we hold to the illusion that cyber security will be different?
PS – An ancillary rule is “new organizations and projects should go for the quick win”. I was amazed that ISCI tackled such a difficult first task, a protocol stack certification that could be tested by multiple vendor solutions. They had money, buy-in from key players, momentum, good PR and all that was needed was some simple to write and test certification criteria, such as minimal elements and evidence of a Security Development Lifecycle. It could have come out in six months and made ISCI a player. Now years later ISCI is still stuck in the mud, and it’s future uncertain.