How Not To Be a Cyber Janitor

A recent blog post by Jeff Bardin (“The Proliferation of Cyber Janitors”) really resonated with me.  He points out how much of the security industry is focused on incident response and breach notification.  This started with CA 1386 in 2003 and more recently has become a requirement for breaches of health information (HIPAA/HITECH).  While I don’t have a problem with these privacy requirements, too many security programs are focused on reactive solutions to detect incidents and respond.  Bardin calls this the rise of the Cyber Janitors, those responsible for cleaning up digital messes.  If we don’t figure out how to implement proactive security, we will be stuck in clean up mode.

I totally agree with his comments.  In fact I will go further and argue that the whole “Prevent-Detect-Respond” security mentality is broken.  It originates from the old castle security model, where the “good guys” (us) are protected from the “bad guys” (them) by an impenetrable wall and moat.  The wall prevented the bad guys from entering.  Sentries detected if a breach was made.  Soldiers were awakened if needed to repel the breach.  This model worked well for several thousand years but does not work today.  Cyber security problems are systems problems and there is no clear dividing line between good guys and bad guys.

I believe we need to put more emphasis on security management and systems design and less emphasis on exclusively technical solutions to what are non-technical problems.  Adding more layers to the castle wall just does not work.  This was clearly shown in many of the security breaches in 2011.  Most security professionals would agree with this, but then put this approach at the bottom of the priority list.  The thought is that maybe one more new security appliance will solve our problems.

Virtually all security breaches include a bad actor taking advantage of internal errors or communications problems.  We cannot eliminate the bad actors.  We can’t anticipate their next attack vector.  But we can improve our internal defenses.  Continuous improvement models based on Capability Maturity Models have been successful in many software and systems engineering programs.  These models can be used to focus on security processes and help measure and keep track of operational excellence or the lack thereof.  I believe the adoption and use of these models will help to go beyond annual compliance checks and keep us out of clean up mode.

I will be hosting a panel discussion on this topic (“Achieving Operational Excellence in Security”) at RSA 2012 Thursday March 1, for all those planning to attend this conference.  It would be great to have your comments and ideas at this meeting.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management