« Apathy and Alchemy: When Good Enough Security is Good Enough | Main | Version 1.0 of the CIS Benchmark for VMware ESX Server Available »

October 17, 2007

Information Security: Deader Than a Door Nail. Information Survivability's My Game.

This isn't going to be a fancy post with pictures.   It's not going to be long.  It's not particularly well thought out, but I need to get it out of my head and written down as tomorrow I plan on beginning a new career. 

I am retiring from the Information Security rat race and moving on to something fulfilling, achievable, impacting and that will make a difference.

Why?

Mogull just posted Information Security's official eulogy titled "An Optimistically Fatalistic View of The Futility of Security."

He doesn't know just how right he is.

Sad, though strangely inspiring, it represents the highpoint of a lovely internment ceremony replete with stories of yore, reflections on past digressions, oddly paradoxical and quixotic paramedic analogies, the wafting fragility of the human spirit and our unstoppable yearning to all make a difference.  It made me all weepy inside.   You'll laugh, you'll cry.  Before I continue, a public service announcement:

I've been instructed to ask that you please send donations in lieu of flowers to Mike Rothman so he can hire someone other than his four year old to produce caricatures of "Security Mike."  Thank you.

However amusing parts of it may have been, Rich has managed to catalyze the single most important thought I've had in a long time regarding this topic and I thank him dearly for it.

Along the lines of how Spaf suggested we are solving the wrong problems comes my epiphany that this is to be firmly levied on the wide shoulders of the ill-termed industrial complex and practices we have defined to describe the terminus of some sort of unachievable end-state goal.  Information Security represents  a battle we will never win.

Everyone's admitted to that, yet we're to just carry on "doing the best we can" as we "make a difference" and hope for the best?  What a load of pessimistic, nihilist, excuse-making donkey crap.  Again, we know that what we're doing isn't solving the problem, but rather than admitting the problems we're solving aren't the right ones, we'll just keep on keeping on?

Describing our efforts, mission, mantra and end-state as "Information Security" or more specifically "Security" has bred this unfaithful housepet we now call an industry that we're unable to potty train.  It's going to continue to shit on the carpet no matter how many times we rub it's nose in it.

This is why I am now boycotting the term "Information Security" or for that matter "Security" period.  I am going to find a way to change the title of my blog and my title at work.

Years ago I dredged up some research that came out of DARPA that focused on Information Assurance and Information Survivability.  It was fantastic stuff and profoundly affected what and how I added value to the organizations I belonged to.  It's not a particularly new, but it represents a new way of thinking even though it's based on theory and practice from many years ago.

I've been preaching about the function without the form.  Thanks to Rich for reminding me of that.

I will henceforth only refer to what I do -- and my achievable end-state -- using the term Information Survivability.

Information Survivability is defined  as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.

A survivability approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. Survivability expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders."

This is what I am referring to.  This is what Spaf is referring to.  This is what the Jericho Forum is referring to.

This is my new mantra. 

Information Security is dead.  Long live Information Survivability.  I'll be posting all my I.S. references in the next coming days.

Rich, those paramedic skills are going to come in handy.

/Hoff



Posted at 11:59 PM in General Rants & Raves, Information Survivability |

Technorati Tags: , , , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451be3669e200e54ef99e2b8833

Listed below are links to weblogs that reference Information Security: Deader Than a Door Nail. Information Survivability's My Game.:

» The Changing Winds of Information Security from The Falcon's View
Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I'm obsessed with not only questioning everything, but also asking the... [Read More]

Tracked on October 18, 2007 at 09:58 AM

» Suspicious Minds (Were Caught In A Trap) from RiskAnalys.is
My friend Mogull seems to have the blues. Hoff and Shurdlu give us their opinions. As for me, I tend to agree more with Shurdlu than Mogull. Imagine if IT were unionized. And the Union said that only CISSPs or security professionals were allowed... [Read More]

Tracked on October 22, 2007 at 06:20 AM

» GRC - To Be or To Do from 1 Raindrop
GRC (or Governance, Risk Management, and Compliance for the uninitiated) is all the rage, but I have to say I think that again Infosec has the wrong focus. My problem with making GRC the central part of Infosec programs is best summed up by Charles Har... [Read More]

Tracked on May 02, 2008 at 10:20 AM

Comments

My Photo

About

Disclaimer

  • The views and opinions expressed here are those of Christofer Hoff only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.

Archives

More...

Subscribe to this blog's feed

Recent Posts

Recent Comments

Categories

May 2009

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31