Thought-Terminating Cliches and Infosec
Posted August 17th, 2010 by rybolovReference: Thought-Terminating Cliches. They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.
Just starting a collection, feel free to add more:
- Compliant doesn’t mean secure.
- You can always go above the minimum baseline.
- You don’t know what you don’t know.
- Security is a journey, not a destination.
- We all know that $Foo is dying/dead/failing/stillborn.
- There is no silver bullet.
- It’s security, it’s supposed to be hard.
Similar Posts:
Posted in Rants | 7 Comments »
Tags: infosec • management • security
August 17th, 2010 at 9:49 am
Industry Standards
Best Practices
Defense in depth
Fear, Uncertainity, Doubt (FUD)
August 17th, 2010 at 10:12 am
I’m sceptic about it… Sure these are clichés.
I think it would be better not to point them as clichés but rather as bad formulations of good ideas.
For instance, “compliant doesn’t mean secure” is the typical sentence you’ll hear from someone who doesn’t want to speak more about a subject. That is, indeed, a thought-terminating cliché. Yet, you can’t say that it’s wrong…
For this particular point, I would rather say that compliance is one specific part of security. I would define security as Confidentiality, Integrity, Availability and Compliance (to legal and internal constraints). Less thought-terminating, it lets you see that you’d better run parallel processes for these different parts, with different audits, criteria, people, etc.
“Security is a journey, not a destination.” So true, but I would rather say that security is not a static asset, it’s a constant re-evaluation of security needs, more than everything else.
“There is no silver bullet.” That’s a word you could hear from a conscious CISO. I would however rather say that the review and enhancement of existing IT services (ITIL sense) and security measures is of more value than the implementation of ever-newer “security products”.
As for the list itself, I would happily add that item “You can’t reach 100% security.” or “There is no 0% risk.”
August 17th, 2010 at 11:21 am
“Data wants to be free”
August 17th, 2010 at 10:52 pm
[…] This post was mentioned on Twitter by novainfosec, alex knorr. alex knorr said: Thought-Terminating Cliches and Infosec: Reference: Thought-Terminating Cliches. They’re such a ugly things and a… http://bit.ly/9xvvCl […]
August 18th, 2010 at 8:33 am
Oh, and of course “multiple security layers” as an excuse to the fact you don’t actually control the endpoints…
August 19th, 2010 at 10:17 am
“You can’t patch stupid.”
Amen. I’d pull some of those items out though and put them into a list of “fundamental laws” that really don’t ever need to be said because they’re so obvious, but they do formulate the bedrock of our approaches (kinda like scientific laws and simple statements make the foundation of more complex assertions).
“Compliant doesn’t mean secure. ”
“You don’t know what you don’t know.”
“Security is a journey, not a destination.”
“There is no silver bullet.”
“It’s security, it’s supposed to be hard.”
These are cliche only because too many people still bandy them about like new insights. Or, like you say, as thought-terminating cliches and you just want to slap someone for leaning on them too much.
August 20th, 2010 at 2:04 pm
Lets not forget –
“What gets measured gets improved.”
And
“It’s security for security’s sake.”