“Machines Don’t Cause Risk, People Do!”

Posted May 26th, 2010 by

A few weeks back I read an article on an apparent shift in emphasis in government security… OMB outlines shift on FISMA” take a moment to give it a read. I’ll wait….

That was followed by NASA’s “bold move” to change the way they manage risk

Once again the over-emphasis and outright demagoguery on “compliance,” “FISMA reports,” “paper exercises,” and similar concepts that occupy our security geek thoughts have not given way to enlightenment. (At least “compliancy” wasn’t mentioned…) I was saddened by a return to the “FISMA BAD” school of thought so often espoused by the luminaries at SANS. Now NASA has leapt from the heights… At the risk of bashing Alan Paller yet again, I am often turned off by the approach of “being able to know the status of every machine at every minute, ” – as if machines by themselves cause bad security… It’s way too tactical (incorrect IMHO) and too easy to make that claim.

Hence the title of this rant – Machines don’t cause risk, people do!

The “people” I’m talking about are everyone from your agency director, down to the lowliest sysadmin… The problem? They may not be properly educated or lack the necessary skills for their position – another (excellent) point brought forth in the first article. Most importantly, even the most seasoned security veteran operating without a strategic vision within a comprehensive security program (trained people, budget, organizational will, technology and procedures) based upon the FISMA framework will be doomed to failure. Likewise, having all the “toys” in the world means nothing without a skilled labor force to operate them and analyze their output. (“He who dies with the most toys is still dead.”) Organizations and agency heads that do not develop and support a comprehensive security program that incorporates the NIST Risk Management Framework as well as the other facets listed above will FAIL. This is nothing new or revolutionary, except I don’t think we’ve really *done* FISMA yet. As I and others have said many times, it’s not about the paper, or the cost per page – it’s about the repeatable processes — and knowledgeable people — behind what the paper describes.

I also note the somewhat disingenuous mention of the risk management program at the State Department in the second article… As if that were all State was doing! What needs to be noted here is that State has approached security in the proper way, IMHO — from a Strategic, or Enterprise level. They have not thrown out the figurative baby with the bath water by dumping everything else in their security program in favor of the risk scoring system or some other bright, shiny object. I know first-hand from having worked with many elements in the diplomatic security hierarchy at State – these folks get it. They didn’t get to the current level of goodness in the program by decrying (dare I say whining about?) “paper.” They made the organizational commitment to providing contract vehicles for system owners to use to develop their security plans and document risk in Plans of Action and Milestones (POA&Ms). Then they provided the money to get it done. Is the State program a total “paragon of virtue?” Probably not, but the bottom line is that it’s an effective program.

Mammoth Strategy, Same as Last Year

Mammoth Strategy, Same as Last Year image by HikingArtist.com.

Desiring to know everything about everything may seem to some to be a worthy goal, but may be beyond many organization’s budgets. *Everything* is a point in time snapshot, no matter how many snapshots you take or how frequently you take them. Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration.

Government agencies need to concentrate on developing agency-wide security strategies that encompass, but do not concentrate on solely, what patch is on what machine, and what firewall has which policy. Likewise, system POA&Ms need to concentrate on higher-level strategic issues that affect agencies — things like changes to identity management schemes that will make working from home more practical and less risky for a larger percentage of the workforce. Or perhaps a dashboard system that provides the status of system authorization for the agency at-a-glance. “Burying your head in a foxhole” —becoming too tactical — is akin to burying it in the sand, or like getting lost in a bunch of trees that look like a forest. When organizations behave this way, everything becomes a threat, therefore they spray their resource firepower on the “threat of the day, or hour.”

An organization shouldn’t worry about patching servers if its perimeter security is non-existent. Developing the larger picture, while letting some bullets strike you, may allow you recognize threats, prioritize them, potentially allowing you to expend minimal resources to solve the largest problem. This approach is the one my organization is following today. It’s a crawl first, then walk, then run approach. It’s enabled management to identify, segregate, and protect critical information and resources while giving decision-makers solid information to make informed, risk-based decisions. We’ll get to the patches, but not until we’ve learned to crawl. Strangely, we don’t spend a lot of time or other organizational resources on “paper drills” — we’re actively performing security tasks, strategic and tactical that follow documented procedures, plans and workflows! Oh yes, there is the issue of scale. Sorry, I think over 250 sites in every country around the world, with over 62 different government customers tops most enterprises, government or otherwise, but then this isn’t about me or my organization’s accomplishments.

In my view, professional security education means providing at least two formal paths for security professionals – the one that SANS instantiates is excellent for administrators – i.e., folks operating on the tactical level. I believe we have these types of security practitioners in numbers. We currently lack sufficient seasoned professionals – inside government – who can approach security strategically, engaging agency management with plans that act both “globally” and “locally.” Folks like these exist in government but they are few. Many live in industry or the contractor space. Not even our intelligence community has a career path for security professionals! Government as a whole lacks a means to build competence in the security discipline. Somehow government agencies need to identify security up-and-comers within government and nurture them. What I’m calling for here is a government-sponsored internal mentorship program – having recognized winners in the security game mentor peers and subordinates.

Until we security practitioners can separate the hype from the facts, and can articulate these facts in terms management can understand and support, we will never get beyond the charlatans, headline grabbers and other “self-licking ice cream cones.” Some might even look upon this new, “bold initiative” by NASA as quitting at a game that’s seen by them as “too hard.” I doubt seriously that they tried to approach the problem using a non-academic, non-research approach. It needed to be said. Perhaps if the organization taking the “bold steps” were one that had succeeded at implementing the NIST guidance, there might be more followers, in greater numbers.

Perhaps it’s too hard because folks are merely staring at their organization’s navel and not looking at the larger picture?

Lastly, security needs to be approached strategically as well as tactically. As Sun Tzu said, “Tactics without strategy is the noise before defeat.”

Similar Posts:

Posted in FISMA, NIST, Public Policy, Rants, Risk Management, What Doesn't Work, What Works | 14 Comments »

14 Responses

  1.  Tweets that mention NOVABLOGGER: “Machines Don’t Cause Risk, People Do!” -- Topsy.com Says:

    [...] This post was mentioned on Twitter by grecs, novainfosec. novainfosec said: #NOVABLOGGER: “Machines Don’t Cause Risk, People Do!” http://bit.ly/bqGwFa http://j.mp/nispblog [...]

  2.  Brian Sniffen Says:

    FISMA has not so much been tried and found wanting as found difficult and not tried.

  3.  happy the dog Says:

    Dude you scare me. You nailed it. Legendary. Visionary. Incendiary.

  4.  Windy Says:

    Mature organizations follow solid program management practices for security as well as risk management and they do process management! Repeatable processes go back to W. Edwards Deming’s insights on Total Quality Management and this was picked up by CMU SEI’s Capability Maturity Model.

  5.  MDB in Washington Says:

    Joe – All good points. The problem is not that FISMA cannot work, but that obtaining a good FISMA score has become more important than the reality behind what FISMA was intended to accomplish. Obtaining that great score means pushing out paper that may never be based on reality; i.e. the real security posture of the enterprise.

  6.  Vlad the Impaler Says:

    Thanks for the comments everyone…

    …if you think me scary, you should see what rybolov thinks — he gets to deal with me IRL sometimes…

    The scoring thing is … unfortunate. Yes, it captured everyone’s attention at first, and focused attention on security, but it spun out of control. It rapidly became soemthing it should neve have become — the target metric everyone managed to. I don’t know how we undo that.


  7.  Jim Kirk Says:

    I think that it’s interesting the State managed to do this under the current framework. I am also tired of Paller bashing NIST. A quote from the May 4, 2010 SANS NewsBites “fundamental lack of understanding of cyber threat at NIST” refers to the Bureau of Engraving web site that had been subverted to redirect users to malicious web sites. He blames NIST. I blame the Bureau for a faulty FIPS 199 rating. Internet facing systems should never be a FIPS 199 low IMHO. The processes are fine, reporting has always been munged, OMB’s fault and BTW, the real problem is and always has been, peoples commitment. I see that lack of commitment every day where I work.

  8.  Security Advancements at the Monastery » Blog Archive » FedRAMP and Recent Changes Prepare Feds for Cloud Adoption Says:

    [...] Faraone, aka Vlad the Impaler, in his post "Machines Don’t Cause Risk, People Do!" warns that "continuous, repeatable security processes followed by knowledgeable, responsible [...]

  9.  Paul Z. Says:

    Couldn’t agree with you more but then you already know that I am a disciple of the brotherhood of reasonable security dweebs.

  10.  Kevin Winegardner, CISSP Says:

    Excellent Blog. Your insights and understanding are spot on. Everyone needs to recognize that technical security controls are only one aspect of the Information Risk Management discipline, both operational, and managerial areas must be addressed as well. Truly effective information risk mgmt will occur in an organization when the senior mgmt takes the lead and sets the direction for the culture, and all program/system mgrs. take ownership of their systems security requirements and commit the resources necessary to mitigate them appropriately. The comment above said it nicely, I will re-phrase slightly; “Most IT Security folks, don’t understand FISMA/NIST’s holistic business approach to Info Risk Mgmt. and thus reject it as a ‘paperwork’ exercise. Technical controls alone, have never been able to ‘secure’ our organizations, and never will. Thank you, and keep up the good work.

  11.  When the News Breaks, We Fix it… | The Guerilla CISO Says:

    [...] Comments Kevin Winegardner, CISSP on “Machines Don’t Cause Risk, People Do!”Paul Z. on “Machines Don’t Cause Risk, People Do!”Tweets that mention How to Not Let FISMA [...]

  12.  fin Says:

    FCW cited you as a dissenting voice to Paller’s hoo-rah.

  13.  Security Advancements at the Monastery » Blog Archive » FISMA Reform: Lieberman, Collins, and Carper Introduce Bill Says:

    [...] the same site Joe Faraone, aka Vlad, gives his take in the post “Machines Don’t Cause Risk, People Do!“. He disagrees with Alan Paller, director of research for SANS, when he writes, “At the [...]

  14.  A Funnier Thing Happened on the WAY to Capitol Hill | The Guerilla CISO Says:

    [...] » Blog Archive » FISMA Reform: Lieberman, Collins, and Carper Introduce Bill on “Machines Don’t Cause Risk, People Do!”Security Advancements at the Monastery » Blog Archive » FISMA Reform: Lieberman, [...]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: