This isn't going to be a fancy post with pictures. It's not going to be long. It's not particularly well thought out, but I need to get it out of my head and written down as tomorrow I plan on beginning a new career.
I am retiring from the Information Security rat race and moving on to something fulfilling, achievable, impacting and that will make a difference.
Why?
Mogull just posted Information Security's official eulogy titled "An Optimistically Fatalistic View of The Futility of Security."
He doesn't know just how right he is.
Sad, though strangely inspiring, it represents the highpoint of a lovely internment ceremony replete with stories of yore, reflections on past digressions, oddly paradoxical and quixotic paramedic analogies, the wafting fragility of the human spirit and our unstoppable yearning to all make a difference. It made me all weepy inside. You'll laugh, you'll cry. Before I continue, a public service announcement:
I've been instructed to ask that you please send donations in lieu of flowers to Mike Rothman so he can hire someone other than his four year old to produce caricatures of "Security Mike." Thank you.
However amusing parts of it may have been, Rich has managed to catalyze the single most important thought I've had in a long time regarding this topic and I thank him dearly for it.
Along the lines of how Spaf suggested we are solving the wrong problems comes my epiphany that this is to be firmly levied on the wide shoulders of the ill-termed industrial complex and practices we have defined to describe the terminus of some sort of unachievable end-state goal. Information Security represents a battle we will never win.
Everyone's admitted to that, yet we're to just carry on "doing the best we can" as we "make a difference" and hope for the best? What a load of pessimistic, nihilist, excuse-making donkey crap. Again, we know that what we're doing isn't solving the problem, but rather than admitting the problems we're solving aren't the right ones, we'll just keep on keeping on?
Describing our efforts, mission, mantra and end-state as "Information Security" or more specifically "Security" has bred this unfaithful housepet we now call an industry that we're unable to potty train. It's going to continue to shit on the carpet no matter how many times we rub it's nose in it.
This is why I am now boycotting the term "Information Security" or for that matter "Security" period. I am going to find a way to change the title of my blog and my title at work.
Years ago I dredged up some research that came out of DARPA that focused on Information Assurance and Information Survivability. It was fantastic stuff and profoundly affected what and how I added value to the organizations I belonged to. It's not a particularly new, but it represents a new way of thinking even though it's based on theory and practice from many years ago.
I've been preaching about the function without the form. Thanks to Rich for reminding me of that.
I will henceforth only refer to what I do -- and my achievable end-state -- using the term Information Survivability.
Information Survivability is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.
A survivability approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. Survivability expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders."
This is what I am referring to. This is what Spaf is referring to. This is what the Jericho Forum is referring to.
This is my new mantra.
Information Security is dead. Long live Information Survivability. I'll be posting all my I.S. references in the next coming days.
Rich, those paramedic skills are going to come in handy.
/Hoff