Thursday, July 21, 2011
Friday, July 15, 2011
Goats and ITSec
A local health insurance provider recently launched an ad campaign using goats to confront the highly contentious issue of health care reform. The idea is that each participant in the health care system (including health care providers, patients, lawyers, and insurers) all have a different scapegoat for the rising cost of health care.
The ads are amusing, and you can see most of them on youtube: http://www.youtube.com/results?search_query=scapegoat+bcbsnc&aq=f
My point is not to popularize this campaign, but to muse that we seem to have the same sort of problem in information security.
After going to quite a few conferences, five distinct security philosophies seem to arise:
The Riskies: If executives better understood the link between security and the potential cost to business, they'd be secure!
The Feelies: If security professionals were kinder and gentler, everyone would love security and hear the message and be secure!
The Pwnies: If we break enough stuff, people will finally believe us when we say how screwed they are, and they'll get secure!
The GRCs: If we document the right policies, everyone will know how they are supposed to act, and everyone will be secure!
The Fixies: If we had the right solution, security wouldn't be so expensive, and it would be easier to be secure!
Meanwhile, a bunch of people who are responsible for budgeting and selecting solutions are too confused by the jargon, the math, the legislation, and the systems to act. "Find me a vendor that will make us secure! Or, better yet, to the cloud! Let's just make this someone else's problem!"
Each security philosophy has merits, but when is the security community going to pitch in to offer a comprehensive and comprehensible solution?
The ads are amusing, and you can see most of them on youtube: http://www.youtube.com/results?search_query=scapegoat+bcbsnc&aq=f
My point is not to popularize this campaign, but to muse that we seem to have the same sort of problem in information security.
After going to quite a few conferences, five distinct security philosophies seem to arise:
The Riskies: If executives better understood the link between security and the potential cost to business, they'd be secure!
The Feelies: If security professionals were kinder and gentler, everyone would love security and hear the message and be secure!
The Pwnies: If we break enough stuff, people will finally believe us when we say how screwed they are, and they'll get secure!
The GRCs: If we document the right policies, everyone will know how they are supposed to act, and everyone will be secure!
The Fixies: If we had the right solution, security wouldn't be so expensive, and it would be easier to be secure!
Meanwhile, a bunch of people who are responsible for budgeting and selecting solutions are too confused by the jargon, the math, the legislation, and the systems to act. "Find me a vendor that will make us secure! Or, better yet, to the cloud! Let's just make this someone else's problem!"
Each security philosophy has merits, but when is the security community going to pitch in to offer a comprehensive and comprehensible solution?
Subscribe to:
Posts (Atom)