I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec.
The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense.
It would be really easy to use banks as my example here, after all they have a lot of something everyone wants, so instead let’s use cattle, that will be more fun. Cows are worth quite a lot of money actually. Anyone who owns cows knows you need to protect them in some way. In some environments you want to keep your cows inside a pen, in others you let them roam free. If they roam free the people living near the cows need to protect themselves actually (barbed wire wasn’t invented to keep cows in, it was used to keep them out). This is something we can understand. Some environments are very low risk, you can let your cattle roam where they want. Some are high risk, so you keep them in a pen. I eagerly await the cow related mails this will produce because of my gross over-simplification of what is actually a very complex and nuanced problem.
So now we have the question about what are you protecting? If you’re a security person, what are you really trying to protect? You can’t protect everything, there’s no point in protecting everything. If you try to protect everything you actually end up protecting nothing. You need to protect the things you have that are not only high value, but also have a high risk of being attacked/stolen. That priceless statue in the pond outside that weighs four tons is high value, but nobody is stealing it.
Maybe this is why it’s hard to get security taken seriously sometimes. If you don’t know what you’re protecting, you can’t explain why you’re important. The result is generally the security guy storming out screaming “you’ll be sorry”. They probably won’t. If we can’t easily identify what our risk is and why we care about it, we can’t possibly justify what we do.
There are a lot of frameworks that can help us understand how we should be protecting our security assets, but they don’t really do a great job of helping identify what those assets really are. I don’t think this a bad thing, I think this is just part of maturing the industry. We all have finite budgets, if we protect things that don’t need protecting we are literally throwing money away. So this begs the question what should we be protecting?
I’m not sure we can easily answer this today. It’s harder than it sounds. We could say we need to protect the things that if were lost tomorrow would prevent the business from functioning. That’s not wrong, but electricity and water fall into that category. If you tried to have an “electricity security program” at most organizations you’ll be looking for a new job at the end of the day. We could say that customer data is the most important asset, which it might be, but what are you protecting it from? Is it enough to have a good backup? Do you need a fail-over data center? Will an IDS help protect the data? Do we want to protect the integrity or is our primary fear exfiltration? Things can get out of hand pretty quickly.
I suspect there may be some value to these questions in the world of accounting. Accountants spend much time determining assets and values. I’ve not yet looked into this, but I think my next project will be starting to understand how assets are dealt with by the business. Everything from determining value, to understanding loss. There is science here already, it would be silly for us to try to invent our own.
Leave your comments on Twitter: @joshbressers