On top of all of this, I've just spent the afternoon with Alex Hutton. Now I feel like my journey was worth the palpitations and sweats on take-off and gut-wrenching lurches of landing. We spent the afternoon getting lost on the highway, talking risk, FAIR, UK and European markets, all that jazz. He made me look at some things in a totally new way, which is always a sign of a great conversation.
"If I went to a doctor and said I was feeling unwell, and he just gave me a bunch of things I needed to do to protect against that...", Alex started, "he'd be a witch doctor".The general consensus of the conversation being that we are still in very early stages of our understanding of security, and what is possible. It feels like we have reached a glass ceiling to me, and after our conversation this afternoon, I finally realise why that is. We're looking at it all the wrong way. The problem with security is that it is too much of an art, too much is left to opinion, and too many are looked up to for that opinion. Myself included.
"Or a priest", I interjected.
"Or a priest", he concurred.
"Well, that's what PCI does."
Rather than PCI being the witch doctor, what about us, the bloggers. WE are the ones who are the witch doctors. I rather prefer PCI as priest, because it does not pretend to be the healer, rather a guide, and I think it is a good analogy for keeping both the critics and the advocates happy.
What we need in security is a bit more science. I enjoy security because, as everyone is very fond of saying recently, it is an interesting intellectual pursuit, like philosophy in many ways. Only it is also something which we can make money out of, by applying business ideas, or consulting, explaining our hand-wavy ideas to people less intellectual than ourselves.
What we don't have is an exact model, a method which says "here is where the problem was, here is where it is now, and here's where it's going to be. This is how much it will cost." PCI says "do this and you will be living a good clean life, the wages of data breach is fines" - the priest. Bloggers say "apply tree-root bark, AV, firewalls, DLP, etc, to the wound and it will solve all that ails you" - the witch doctor. Very much steeped in opinion and personal bias.
The model needs to be accurate. As Alex explained, it has many variables, few absolute metrics, and varies threats, data flow and system management. How that model comes about is anyone's guess, when it does, it will be incrementally improved, much like modern medicine. It will probably have it's critics, none more so than amongst the bloggers it seems to contradict, or the PCI advocates it initially seems to put straight. I see no reason for it not to co-exist with both however. As a blogger I am always willing to learn. PCI is not a fundamentalist, it is flexible, and will adapt if given the scope to. In this regard I am the Christian Scientist.
The model will be guided by experiment and empirical analysis rather than opinion. How many times have we all been proven wrong by new evidence? "80% of threats are external", "firewalls will secure your network", "<insert
You should listen to Alex. He's a very smart guy, and he's leading the field in finding the answers in this, along with his business partner, Jack. I understand what he's been getting at a little better for meeting him, picking his brains and getting to the bottom of where's he's coming from. If only I had another 4 hours to write it all down...