SecBiz -- Who will be Infosec's Pariah?

Monday, November 07, 2011

Ali-Reza Anghaie


More-so in the past three months than I remember at anytime since the 'great cryptography wars' of the 90s, InfoSec has become overrun with Fear, Uncertainty, and Doubt (FUD).

Marketing pitches have somehow moved beyond guarantees of protection against APTs straight into Dragon Tear Mace. We're on the verge of bottoming-out and reconstructing our collective industry souls.

The next three years will be exciting times for our industry. And the first major breakthrough will be finding our pariahs.

Every major movement has a pariah moment that, whether remembered or not, change the approach of The People radically and quickly. In environmental activism it came from Bjorn Lomborg ("The Skeptical Environmentalist") and in military projection/geopolitics it came from Thomas P.M. Barnett ("The Pentagon's New Map").

You can endlessly debate the staying power and nuances of the messages but the bottom line is that the ~way~ people thought about problems changed significantly w/ Lomborg and Barnett.

You may not remember it well, but take a good look through Google News, LexisNexis, and Factiva. You'll notice the same, roughly, three-year cycle whereby a small vocal group of "thought leaders" responded that Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept into The Economist, NY Times, WSJ, etc.

And finally, while simultaneously dismissing their contributions, people started sounded more-and-more like Lomborg and Barnett. In Lomborg's case it went so far as institutional character assassination later rebuked/reversed by larger Government investigations.

I think it beneficial to concentrate on Lomborg for the moment. In particular these three books which he wrote or edited:

  • The Skeptical Environmentalist (2001)
  • Solutions to the World's Biggest Problems (2007)
  • Global Crises, Global Solutions (2009)

Specifics on each book's details or proposed solutions is not the key takeaway. The key takeaway was that Lomborg and contributing authors proposed using resource and fiscal economics balanced against measurable metrics of human well-being as the basis for ~all~ big decisions.

OK, so a bunch of you are going: "I do that! This is old news! Pfft, tell me something I don't know!"..

Yeah, you're probably right. I'd wager most of my Twitter friends actually think similarly to this already. And have for quite some time. However, the InfoSec Industry as a whole does not. And we need a voice or a few voices to totally shatter the "thought leaders" of yesterday. Of today even.

Who decided who these so-called thought leaders are? Where was this committee convened? Consider for a moment that encryption, courtesy of Bruce Schneier, is still quite frequently considered the end-all of security. It's been nearly two decades since "Applied Cryptography" and even Schneier can't shake this Ghost of Security.

Here is the good news… great news actually. Lomborg and Barnett had to come from the proverbial left field to make their impact. Our change is evolving internally due to a pervasive awareness of bigger issues (e.g. environmentalism and geopolitics) by practitioners in InfoSec. Our pariahs are already in place but not well recognized outside of our community. (I'm going to avoid naming names, unless asked directly, simply because it'd be unfair of me to singularly nominate some people.)

So here is what I'm proposing...

Take the community models that have driven InfoSec's greatest changes of the past decade. In particular a fairly new entry into the community, PTES (Penetration Testing Execution Standard), and base an outreach program on that model.

An informal to semi-formalized committee of peer reviewing open Wiki publishing InfoSec practice ideals. Things that can translate to Congressional Hearings, DoD Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.

Explicitly not built upon an existing certification or standards group. Not ISC, not Jericho, not SANs, nobody... something more organic and peer driven.

A group like this can take public perception and discussion in a better direction than either Anti-virus or new-fangled Anti-Dragon Tear's APT Conan Swords. A group like this can hold enough weight to temper the FUD of a few whoring repetitive messages in the press.

CNN, Christian Science Monitor, Fox, etc. need a more balanced message? We got it. Congress needs more reasonable perspective? We got it.

Yes? Can't this be done in a community driven, organic, and professional way? I do indeed believe so!

So who wants put their name in the hat as a prospective Pariah? It'll be the most fulfilling skewering you ever get. -Ali

Cross-posted from Packetknife's Space

Possibly Related Articles:
Security Awareness
Information Security
Marketing Security Information Security Infosec FUD Professional SecBiz
Post Rating I Like this!
Krypt3ia I'm glad the name you give it is "Pariah" cuz I already have the corner on the market of "Red Headed Bastard Stepchild"
Ali-Reza Anghaie And they're two different things. As a whole RHBS describes your feelings on our industry vs "everybody"..

I mean a pariah ~within~ our industry. Or a few of them. Those that rock the boat enough to make CISSPs and "prevailing knowledge" that is BS get knocked to the side. People who can take this huge percentage of cushy security professionals who get to rest on the idea that AV and incident response is their only duties.. AHHHCKKKGRGHH...

Never mind. ;-)

I'll rant later, -Ali
Ali-Reza Anghaie Fsck it.. might as well..

Of the so-called industry elders I'd say Ranum & Mudge are the best fit to "blow up" the current norms in the industry. I'm not talking the norms at a Con but the normals that the Press and Governments take.

Add to that Dave at Diebold, Weld at Veracode, and then five to fifteen lower-trenches guys. I'm in, it was my idea, .. ;-)

Wiki-format high-level BIG statements followed with very particular responses to very high-visibility issues. And a GV or Voxox VM box or 24/7 media hotline shared w/ media personnel for comments and or bullsh*t detection services. Same idea, maybe different number, for Governments and donars (e.g. Universities or Think Tanks like RAND).

When somebody says APT or SCADA will kill us all by this evening, we need to have a better more cohesive ~community~ voice.

Anyhow.. short version of the rant. -Ali
When somebody says APT or SCADA will kill us all by this evening, we need to have a better more cohesive ~community~ voice.

And here I was thinking I was the lone voice of "OH NO YOU DIDN'T" out there... Welcome.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.