Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
May of us in the information protection community know that there are better ways to do things than they are typically done today, but in the end, our efforts largely go for naught. We think up new ideas and try them out, we find that some of them work, and we try to get them in use, but in the end, almost every really good protection technology is nixed before it ever sees the light of day.
Why is this? I have often asked myself this question, but I have only recently started to come to believe that I understand the reason. And it's not a very good answer.
The answer, in case you haven't guessed it by now, is that the world just doesn't want to be fixed. By this, I mean to say that, the best technology, the best ideas, the best of anything, is almost certain to end up not being used or done.
There is a widely published theory, but of course I forget who published it first, that says, in essence, that the best solution never wins. In fact, I think it says that the second best solution always wins, but that's not the issue here.
Why is this? I have often asked myself this question, but I have only recently started to come to believe that I understand the reason. And it's not a very good answer.
The answer, in case you haven't guessed it by now, is that whenever someone comes to me with a really great solution, I advocate it and try to use it, but in the end, I don't make any money by doing that.
OK - so if I adopt what I think is the best and I don't make any money at it, that means that I won't have the money to sell it as well as the person who, upon seeing the best, decides to build their own that is not as good but is theirs nonetheless. So in the end, the person who does what's best for them and not what's best for the people they claim to serve (i.e., their customers) makes more money and can do it again and more often.
Now I was just in a set of meetings with some pretty genuine sounding and politically astute people. I heard some pretty wild claims, but they stood by their guns and kept indicating the 'right' politically correct things. Here was one of them... you shouldn't reward performance with money because if you are 'that good', you don't do it for money anyway...
I must not be that good. I think that more money would be a good thing and, despite the assertions of those people who make a lot more money than I do, I doubt that any of them would be willing to take a $500,000 personal hit for being wrong or would not agree to a $500,000 bonus for being right. As an aside, these are the same people that, within the last year, made scores - probably hundreds - of decisions based on political expediency or to get more funding and not based on what's 'best'.
You bet it is. We are urged not to become cynical, presumably because it's bad for those who are taking advantage of us, but I consider myself to be a realist. And realistically, the 'money' view of the world has always been sub-optimal because, despite the fact that 'greed is good', excessive greed leads to collapse - ultimately of societies. They fall under their own corrupt weight.
Which brings me back to my original point. the people in power and with money want to make improvements - to their own financial and power positions, not the the condition of the world. That's how they got into that position in the first place, and that's how they are likely to be able to remain there. After all, if they stop, someone else will rise to take their place.
I would bet you that in the days running up to the fall of Rome, those in power would have told you about the same sorts of things that those in power today tell us all. The world doesn't need to be fixed, it just needs to be adjusted a bit, and we will take care of it. Don't you worry.
Those of us who snuck copies of Mad Magazine past our parents in our younger days recognize this as the 'What Me Worry" viewpoint of Alfred E. Neuman... any likeness to any well known persons living or dead is strictly coincidental...
Yes, its true. While I spend my days and many of my nights hunting down bad guys and doing research into information protection, I have gotten to the point where I just don't worry about the world like I used to. And you must know that the world doesn't worry about me very much either...
The world just doesn't want to be fixed. Despite the claims of interest in the 'real situation', when the real situation is presented to people, risks are dismissed (a.k.a. assumed) when they are not really understood. If you ask a top executive about security, their answer is likely to be incomprehensible.
If you are in the security business to fix the world, you should get out of it. I haven't, but then I'm a bad example.
If you think that you are going to fix anything with your security efforts, give it up. Just make sure that whatever you do has a good looking box or interface and people will feel safer (the definition of 'security' if you look it up in the dictionary).
Just remember, keep asking for more money, when disaster strikes, claim it was their fault for not giving you the money you have been asking for, and if they give you what you ask for, ask for more. It may not fix the world, but it will help fix your retirement.
I hope I have taken this position effectively, even if I only rarely believe it. The fact is, many honest people do want to fix the world and do their best to compete with other interests to do so.
About The Author:
Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/