Security and Due Diligence

Saturday, May 28, 2011

Chris Blask

A966b1b38ca147f3e9a60890030926c9

In the wake of Siemens', Cisco's and Sony's recent experience with Incident Management, the question of diligence comes clearly to the fore.

Diligence is the nebulous factor that is key in demonstrating that others should put their trust in you, whether it is a matter of investing in your company or measuring your compliance or just deciding if it is safe to get in your car with you late on a Saturday night.

We all make judgments on the diligence of others every day in myriad ways. It could be easily argued that displaying due diligence is the most fundamental foundation of human interaction.

The moment we walk into a grocery store our nose will tell us if the owners have been diligent in cleaning under the freezers and behind the shelves. We will or will not return to that establishment based as much on our impression of the care taken by the proprietors as by the quality or price of the commodities offered for sale.

So, what diligence is due when a security problem with the products or services you have provided to the world rears its ugly head? How much is too little? Is it possible to display too much?

Let's take those in reverse order. Can you be too diligent?

Surprisingly perhaps, the answer is "Yes". Many great ideas and wonderful products never serve any purpose in the real world because the people behind them spend too much energy trying to forecast everything that could possibly go wrong and addressing each possible point in advance.

In 1990 I was working at GE Power Generation in Greenville, SC. On the day that the first 9000F turbine was undergoing the most critical part of final assembly - lowering the 150-ton rotor into the lower half of the casing - the piece stuck just before making it safely onto its bearings.

A small group consisting of the lead architect, engineer, operator and a few others gathered and discussed the problem for a few minutes. Apparently having reached a consensus, the lead operator - a strapping gentleman of Paul Bunyan proportion - approached the offending assemblage and proceeded to beat the living tar out of the rotor with a massive wooden sledge hammer that Wiley E. Coyote could have found in an oversized Acme crate.

Satisfied, he signaled the crane operators and the rotor nestled successfully in its berth. Vacuum welding due to the tight tolerances was the culprit; a little harmonic vibration was enough to break the bond.

My boss - the incomparable Walt Wren - and I discussed this afterwards. He explained that our competitor in Japan would have dealt with this entirely differently. Sending everyone home, convening an executive meeting the next day, and setting off a chain of events that would see the entire design and manufacturing process reviewed and dismantled until the fatal error was identified.

We beat our Japanese competitor for the first 9000F deal and sold $1B of gear to Tokyo Electric Power Company. Today the 9000F is the de facto standard in fuel turbines for power stations.

Similarly, Siemens or Sony or Cisco taking apart their entire infrastructures at a cost that would put them out of business would likely be taking diligence to an extreme that negates its purpose.

How much diligence is too little?

As has been infamously said about pxxnography: "I know it when I see it." Over the decades I have taken no little pleasure in tweaking my peers by saying that, in security, Comfort Levels are more important than actual security.

Expanding on that I will note that your customers will not be able to achieve their desired comfort level if your product or solution is not actually secure, but that it is also possible to create wonderfully secure products while simultaneously failing to make anyone comfortable enough to actually use them.

There are lots of good products and services and solutions created and offered to the market. Quite often the "best" of them are not the ones that become widely adopted, to the endless consternation of experts in the field.

For those who are willing to look beyond the technical aspects of their area of expertise to the broader economic and sociological implications of their work, displaying the appropriate amount of diligence to allow other people to adopt the fruits of their labor is at least as important as building the better mousetrap.

History is littered with the carcasses of great ideas that have expired on the bench due to a lack of commitment to the demonstration of diligence to those outside the lab.

In the three examples on the table, it seems that Sony is trying hard to make up for diligence lapses in the past, Cisco only begrudgingly decided to display a dab of diligence and Siemens seems to imply that all this diligence stuff is highly overrated.

All other factors aside, linear logic would indicate that each will experience success in their endeavors in direct relation to the diligence they are displaying if they each follow their current apparent paths.

Where popular consensus continues to view the diligence of a vendor as too little, commercial success may well steal away silently like a thief in the night.

So, finally: What diligence is due when your product or services are shown to have security flaws that place your customers at risk?

Look to sociology for your answer, not technology. Ask your pastor or father or favorite English teacher. Find the person who makes you the most uncomfortable when you try to dazzle them with brilliance, and ask them what diligence means.

These people will recognize your diligence when you display it and just as quickly burn through your balderdash just by the looks on their faces.

I have real sympathy with each of the companies mentioned. But I have been in their shoes - quite literally in my time running the Cisco PIX team - and my response was:

"This is not your problem, it is ours. It isn't even 'ours', it is mine, personally. I will not rest and I will not prevaricate and I will not lie to you or hide from my responsibility until that debt of trust you put in me is honored. The reason you can trust us, despite this real flaw found in our products, is that when we say we care about what we do we mean it to the very pits of our souls."

Behind all the technology and corporations and globe-spanning markets and networks there are individual human beings. The actions and intent of those individuals shines through the layers between them and the rest of us like arc lights through kleenex. There is no replacement for intent.

What many who live too far removed from their customers forget is that their brand and their power is based entirely on the ongoing personal relationship they have established with the individuals who choose to adopt their wares.

The diligence that is the dues paid to maintain those relationships does not come from bank balances or market share. It comes from each of the people behind the thin veneer of brick and plastic that face their corporate campuses.

Those who choose to seek Due Diligence within themselves will find it. 

Chris Blask authored the first book on SIEM, "Security Information and Event Management Implementation", published by McGraw Hill. Today he is Vice President of Industrial Control Systems Group at AlienVault, the producer of the world's most popular SIEM technology, and is on faculty at the Institute for Applied Network Security (IANS).

Possibly Related Articles:
20764
Policy
Information Security
Compliance Due Diligence Security Siemens Sony Information Security Incident Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked