Take your pick of great strategic thinkers: George Washington, Carl von Clausewitz, Garry Kasparov, Lord Nelson, Napoleon Bonaparte, Sun Tzu, Herman Kahn, etc.
Now, sit them at a table and have them look over reams of InfoSec incident responses.
Assuming you’ve accomplished this time and culture travel they’ll already be well familiar with Homer Simpson and, if we’re lucky, they’ll compare us favorably to Homer’s professional accomplishments.
Mmmm… more blinky lights…
I find it’s useful to consider three contemporary fields in particular when pondering InfoSec strategies and our future: Defense, Economics, and Healthcare. And all three fields have grasped nonlinear preventative and swarm tactics in a way InfoSec would be wise to consider.
And, like InfoSec, all three also have their snake oil salesmen and demons to satiate.
Recently Meredith Patterson (@maradydd) tweeted about an opinion piece in The New York Times (1) on Healthcare:
“If high touch medicine offers additional monitoring and services, how can it save money? Arnold Milstein, now a Stanford professor, identified physician groups that were above average in quality but treated patients for 15 to 20 percent less money than average.
How did they do it? By preventing emergency room visits and subsequent hospitalizations.”
I’d argue this approach is missing almost entirely in Enterprise Security plans. Conceptually everybody talks about preventative care (e.g. configuration/patch management, security life-cycles) and rapid incident response.
However, we discharge the patient as soon as possible with a new gizmo hanging somewhere and pat ourselves on the back. Only to be revisited by misery a short time later to do the InfoSec triage over again.
Organizations need to invest in strategic longterm care of their assets. Every response should be pervasive and prompt a re-examination on existing architectures, controls, training, etc. Don’t scoff, it’s really not that difficult.
Your team has likely considered every nuance in their minds more than once. Actually addressing them isn’t as intensive each subsequent time. And, like the study (2) The New York Times opinion piece covered, you’re going to see a cost savings and quality improvement across your Enterprise.
When I broach this topic I usually get a range of responses but they all circle one issue: Nobody cares about the longterm because they won’t be there. That’s not frequently true, it simply can’t be, because professionals need to have an accomplished and tangible record to move on in the first place.
And usually a significant body of work to progress your career. Such a body of comprehensive and responsible work, as I suggest above, would produce more data and metrics. It also gives your colleagues and team more confidence in your leadership abilities.
In the respect you have for their body of work, there is nothing an InfoSec professional hates more than to see their hard work squandered.
Do you want your team to look at you as a Homer Simpson or a Lord Nelson?
Homer Simpson is awesome and is © 20th Century Fox
Cross-posted from Packetknife's Space -- http://www.packetknife.com