5/24/05

Five Reasons I Hate Computer and Network Security

I just checked my Vitae -- I've been doing this (computer and network security) full-time since 1992, and part-time for a few years before that. As may be evident from recent blog postings, such as The Same Old Drum Beat, I've become more curmudgeonly. As charming as that might be in me, it is in no way a desirable attribute. So, I wondered, just what is it that bugs me about this field in which I've (sort of) made a name and (sort of) made a living? I came up with a list of the five reasons I hate computer and network security.
  • There's no way to get to a solution. It is a moving target! There are always more and bigger threats. Or, more precisely, there are similar threats manifested in bigger and badder ways.

    On the other hand... Ecclesiastes says (1:9.10), "What has been is what will be done, and there is nothing new under the sun. Is there a thing of which it is said, 'See, this is new'? It has been already in the ages before us." So, we can use variations of what has worked in the past, in new ways perhaps. Rather than making it frustrating, that should be what makes the job interesting. No?
  • With users, everyone does what he or she wants anyway. The apostle Paul -- not specifically referring to our topic -- wrote, "As it is written, 'none is righteous, no not one: no one understands... all have turned aside... no one does good, not even one.'" (Romans 3:10 ffl.) Even earlier than that, the writer of the Book of Judges wrote, "Everyone did what was right in his own eyes." (Judges 17:6.) So, the security person is always the bad guy to the users. On the other hand... in Matthew's gospel, we find this: "When hs saw the crowds, he had compassion for them, because they were harassed and helpless, like sheep without a shepherd." Hmmm. Okay, they really do need a shepherd. Think of what the users would do without some direction, some guidance, some tempering of their destructive tendencies. Yes, they are smelly, but they sure do look cute. And they do need help.
  • With upper management, it's the same old battles.They have a short attention span when it comes to technology. Unless they are technologists, and then they won't stop suggesting tweaks. And all they care about is making money.

    On the other hand... it really is about making money. Put another way, "security" is about managing risk which is short-hand for "managing risk and maximizing business." So, in an annoying way, they are just doing their jobs.

  • Those darned users are never satisfied. They just want more, more, and more. They don't listen to reason. As I said in Seven Things..., "We ask for requirements, they give us solutions," and their "requirements are wants or desires in disguise."

    On the other hand... as I said later in the same blog entry, "It is the responsibility of the clueful to clue in the clueless." And, remember, they need a shepherd.

  • Security practitioners keep going over the same ground, sometimes reinventing solutions, but under a different name. We're also enamored with analogies. Recently, I read a reference to a post to a mailing list I usually read. The mailing list post referred to four critical attributes of security that are likened to the four legs of a stool. A great analogy? Well, sort of. It works perfectly as an analogy if we're talking about a three-legged stool (which won't stand at all if one leg is missing). But, four legs minus one? Or a five-legged stool? I suppose it is weaker. (Though, I guess, I really mean the analogy.) We want to make analogies between the network world and the physical world. We draw bricks and moats, castles and draw bridges. We forget about history in our own discipline.

    On the other hand... No. No, there isn't an "other hand" for this one.
Axel Eble, CISSP, comments on this in his own blog, I don't hate security. Thanks, Axel!

No comments: