Learn Something from the Cavalry

Remember the old westerns?  The US Cavalry always comes riding over the hill just in the nick of time and rescues the hero ala deus ex machina.  It’s almost uncanny how the cavalry manages to show us their sense of timing, but if you’ve ever known or worked with the cavalry, they plan it that way–they’re the first well-known proponents of Just-In-Time methods.  Bear me out, and I’ll explain this grandiose statement.

According to the cavalry article at Wikipedia, the cavalry (more specifically, the light and medium cavalry) has the traditional roles of scouting, screening, skirmishing, and raiding.  When they engage, they pick the time and place to engage, and that gives them local numerical and firepower superiority when overall they have a disadvantage.

So think back to the Battle of Gettysburg.  It’s a classical meeting engagement between 2 19th-century armies.  You’ve got the Union Army on one side with very active cavalry under Brigadier General Buford scouting out ahead of it.  He sees the Confederate Army and choses the time and place to engage them in order to delay the Confederates and give the Union Army time to occupy the high ground South of Gettysburg.  The rest by now is well-known–the Union Army defeats the Confederates by defending the high ground and turns the tide of the war.

How does the cavalry master time and space?  They have some advantages that can be summed up in one sentence–they conduct reconnaissance activities in order to mass at critical points and times.  In other words, they know how to prioritize and it gives them an advantage on the battlefield.

One other thing that the cavalry realizes is the concept of friction.  It’s not a new concept, Clausewitz uses it quite frequently.  But it does make sense if you’ve ever gone to war:  things are never the best-case scenario.  Attack times get delayed because Private Smith left the tripod mount for the M240 in his ruck sack.  We can minimize friction to a manageable level, but it’s still present in even the best-planned and best-executed mission.

In information security management, we’re trying to accomplish the same thing.  We use metrics as reconnaissance to find out the times and places to mass our forces.  We use risk management and triage techniques in order to prioritize our scarce resources to engage and destroy the superior enemy.  We account for friction by having a layered approach–if you will, defense in depth.  We use our local advantage in order to shape the remainder of the business engagement.

Yes, we have much that we can learn from the cavalry.  And in the end, we might ride over the ridgeline just in time to save the day.

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• The Long Tail and Security Posture
• Reading Between the Letters G, A, and O
• Ack! With the Mandates!

A little-known piece of trivia:  in the original ending to Pretty in Pink, Andie picks her geek friend, Duckie.  The test audience didn’t like this, so they refilmed the ending where she picks Blane.  This was a perfect opportunity to show the world that geeks are cool in their own way.  But peer pressure won out in the end, just like it always does.

The moral of the story is, even in the movies, geeks don’t get the girl.  And we’ve been suffering ever since. =)

Pretty in Pink trivia at IMDB

• Driving Wiping
• MREs and Bad News
• It’s Time for an Exit Strategy
• No, Really, Mom…
• What’s Happening at Wired?

Risk Management Above All

I have people come to me all the time relating something to what they want to do with whether a particular system has been certified and accredited yet.  My answer is almost always “I don’t care about C&A, I care about risk management!”
I’ve worked on projects where my goal was, if I accomplished anything else, I was going to teach the team how to do risk management.

Why is risk management so important?  Well, for starters, you need to go into information security management knowing and accepting the following facts:

• Fact: There is always a shortage of money
• Fact: There is always a shortage of people
• Fact: There is always a shortage of time
• Fact: You will always have shortages because if you have enough resources for security, you slow down progress on the business end.

Let’s look at a related scenario from a different industry — a hospital emergency room — for some insight.  They deal primarily with time and people, and they only have so many resources to manage.  That means that they have to prioritize who gets helped first.

Inside of the emergency room, they have a pretty well-established process to determine who gets the help first.  They perform triage to evaluate and prioritize patients into categories then they treat the worst first.

Sounds like risk assessment and risk management, doesn’t it?  Good information security managers know how to do triage.  That’s how you budget out your time, people, and money.  The rest is basic project management skills.

• Core Belief #4 — Compliance is a Dead-End
• Core Belief #3 — Learn Something from the Cavalry
• Another Day, Another Vendor
• Core Belief #1 — Security is not Different
• My 2 Obsessions this Week

This week, I’m doing a series on some of my core beliefs as an information security manager.  I’ll put up a good blog post each day on something that I hold close to my heart.

• Core Belief #1 — Security is not Different
• Stands Alone
• Moving
• A Story About Potatoeseses
• Layers Upon Layers of Oversight

Security is not Different

Basic fact:  If you give an engineer a set of requirements, they will build to them, whether they are functional requirements or security requirements.

Basic fact:  Businesses use metrics to determine the effectiveness of anything that they do and to assist in making cost/benefit/risk comparisons.  Channeling Jacquith for a moment here, why should security be any different?

Basic fact:  What is the dividing line between quality IT management and quality IT security management?  There is so much crossover that, from what I hear, ISACA tells you you can let QA people serve in some security roles.

Basic fact:  Good project managers do risk management for their project.  Security just adds a different set of considerations.

Basic fact: It all comes down to economics and personnel management, just like  construction, running a restaurant, or engineering a 3-tier major application.

Basic fact:  As an information security manager, I spend 80% of my time doing one of two things–either personnel management or basic project management.

And yet, why do I have people telling me constantly “I can’t do that, I don’t know security”???  One of my core beliefs is that security is not different from anything else, and that as long as we as security practitioners keep some kind of mystique about what we do, it will continue to be a “black art” that nobody else thinks they can do.

• Do You “Do It” or Do You “Get It”?
• Core Belief #4 — Compliance is a Dead-End
• Mike’s Guide to Information Security Policy
• Observations on PCI-DSS and Circular Arguments
• Core Belief #2 — Risk Management Uber Alles

I’ve been looking around for a home for my 2U server, and the cheapest I can find something for is $150/month. For a box that just does my personal web and email services, I can’t see paying it out of pocket.
Maybe I just came of age during the dotcom era, where colocation was cheap.  Maybe I’m just crazy/old/curmudgeonly.

Anyway, consider this a call to the masses:  If you offer collocation in the DC area for a 2U server with minimal bandwidth uses for $50 or so per month, drop me an email. =)

• Omigod, I’m Part of a Botnet?!?!?!
• Turning Routers into Firewalls
• Targeted Spam
• Even Better Spam
• Life Behind “The Great Big NAT in the Sky”