Post RSA 2012, CNET’s Elinor Mills spills what may be the proverbial beans (at least as far as mainstream tech-media assumes those beans to be…) regarding the continuous failure of the information security industry to actually secure assets in the enterprise, agency, bureau, department, what-have-you. Whilst Ms. Mills argument is the age-old adversarial model of combat betwixt two parties of disparate foci. My viewpoint, predictably, is fundamentally different.
Regardless of the efficacy of her argument, the truth is much less complex. Comprised of economic rationale inclusive of misguided risk-management scenarios (usually led by a management group with flawed reasoning, rather than guided by an engineering reality) and the related induced flaws leading to the inevitable concomitant engineering errors, exacerbated by significant ignorance of even the most basic tenets of computer science and data security, et al. What is the result of this hearty bonnyclabber of blatant, off-target vulnerability mitigation? Wait for it…
Couple all of this with a less-than-sufficient-training-regime, focused only on acronymical certification signatory taglines - rather than real education and cognition (methinks I shall invoke the Socratic Method and rigor-laden Scientific Method) - and what do you get? Again, wait for it…
In reality, and certainly without rancor {regardless of the diatribe inherent in this screed}, the vast majority of information security related management and implementation failures (both technical and functional) are almost always traced back to incompetence; of course, this argument is equally as age-old as the one CNET’s Elinor Mills writes of. Ah, le cercle de la vie…
Physician, educate thyself.
* Homage to A.E.Neuman…