Robert: you say "However, many have jumped
on "security is a process" in order to burden their
organizations with overweight processes. Moreover,
narrow minded bureaucrats often use "security is a
process" to prevent talented/educated people from
actually getting their job done -- with a detriment to
an organization's security. I see organization after
organization where process is the enemy of security."
I agree with your conclusion but I wonder...are you
suggesting the intent is to burden or the
outcome/result of processes is to burden the
organization (I'm wondering if you're seeing something
less ignorant and more insidious here)?
Either way, does this then require that security folk
engage in better bureaucratic speak (to explain to the
advocates of process for the sake of process what
really is needed) or better security by way of little
or no budget (without their support, I get no
support)? By that, I mean is the obstacle I face in
the scenario you present above (which is my very
situation - my CIO believes he knows security because
he read Secrets and Lies) my inability to converse
with the brass or is it my lot in life to always fight
their ignorance and vulnerability to what often
amounts to marketing spin?
Or have I missed your point altogether?
respectfully,
parnelli
parnelli_vondel_at_yahoo.com
--- "Graham, Robert (ISS Atlanta)" <rgraham_at_iss.net>
wrote:
> From: Randy Taylor [mailto:gnu_at_charm.net]
> >I agree with you that CC and a process-oriented
> security approach
> >are different "things" in and of themselves.
>
> They are the same. It seems you haven't understood
> either of my previous
> messages (sorry, I probably phrased them poorly).
>
> My argument is essentially: Common Criteria
> Evaluation is an example of
> good process, but it is generally bad -- therefore
> process is generally
> bad.
>
> When cryptographers say "security is a process", the
> type of processes
> they are referring to are those like Common Criteria
> Evaluation. I have
> a hard time understanding how somebody can be "for"
> process, but
> "against" processes like CC.
>
> The crux of the problem is what economists call
> "decreasing marginal
> returns". A small amount of lightweight processes
> give you more benefit
> than they cost. A large amount of heavyweight
> processes (like CC) give
> you marginal benefits but cost a huge amount. If you
> are the military or
> intelligence organization (the guys cryptographers
> generally design
> cryptography for), then you are willing to spend
> that much for small
> improvements. If you are everyone else, then you
> can't afford it. The
> military has secrets that are worth more than your
> entire organization
> (and you don't).
>
> A small amount of process is worth the cost.
> However, many have jumped
> on "security is a process" in order to burden their
> organizations with
> overweight processes. Moreover, narrow minded
> bureaucrats often use
> "security is a process" to prevent talented/educated
> people from
> actually getting their job done -- with a detriment
> to an organization's
> security. I see organization after organization
> where process is the
> enemy of security.
>
> Disagreement on semantics is one of the most boring
> debates on
> technology forums. It is quite possible that you and
> I agree on the core
> problem except for the semantics: i.e. you describe
> reasonable processes
> and express a distaste for heavyweight processes. My
> goal isn't to
> convince you of my semantics. My goal is to give
> ammunition to the
> talented security engineer who is stopped by stupid
> people who insist on
> controlling their actions with yet more process,
> because Bruce Schneier
> says that process is the end-all/be-all of security.
> I find it curious
> that there are lot of people who know little about
> security, yet they
> insist that they should be the ones creating more
> process to constrain
> the actions of those who do. I have met a lot of
> frusterated security
> professionals out there who have expressed these
> same sentiments.
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Received on Jan 21 2003
Intro
