This has been a year filled with significant compromises of high profile organizations, many through trivial or easily detectable problems. If we are doing our jobs as security assessors, verifiers, fixers, or advisers, it certainly might seem as though we are not being effective. Or even worse, that we are failing. But, I do not think this is the case at all.
Many of us in the security and technical industry have poor diets, do not exercise frequently, drink too much caffeine and otherwise do not have healthy lifestyles. We elect to refuse proactivity and embrace reactivity to our health problems. Yet we do not consider this a failure of the medical industry. Despite what our physicians may think or say about us, how we may choose to present the findings to our stakeholders (family), or despite how we may lie to our doctors or restrict how we let them help us, we know deep inside where the blame really rests when we are later affected by the decisions we make, and we know we may let down those who depend on us.
It is true that a customer will frequently tell me which systems or applications I shouldn’t touch on a penetration test because of concerns they may have regarding its criticality and the availability requirements or because they are trying to set themselves up to “pass” the security test. I may be lied to regarding security practices, policies, and known problems within the organization.
Given these problems, as an information security consultancy, we are there to be trusted advisers and to prescribe what we feel is most beneficial to the client. If our clients do not feel the need to allow us to best help them, we are no better off than doctors with unhealthy patients unwilling to do what is necessary to achieve the goals we think they’re supposed to have. Obviously, this analogy can be drawn out further and further; with respect to compliance, regulatory or legal security requirements the customer cannot always dictate what is to be tested or how, just as certain medical examinations for non-elective purposes assume the patient may be less than truthful and the results must go to external stakeholders for other purposes (insurance, fit for service, etc).
We haven’t failed, we just have the same problems and frustrations as other industries. To be shortsighted is human, and when we see our clients making decisions we disagree with, we must dutifully continue to do our jobs. If a doctor cannot force his patient to quit smoking through reasoning, fear, test results, or other method until the patient actually feels the effects and wants reactive assistance, we in our industry know we at least face similar challenges.
Great post. Really appreciate your thoughts on the matter. And I agree completely. -Robb