May 28, 2010

questioning infosec -- don't buy into professionalism, certifications, and other silver bullets

Gunnar posts on the continuing sad saga of infosec:

There's been a lot of threads recently about infosec certification, education and training. I believe in training for infosec, I have trained several thousand people myself. Greater knowledge, professionalism and skills definitely help, but are not enough by themselves.

We saw in the case of the Great Recession and in Enron where the skilled, certified accounting and rating professions totally sold out and blessed bogus accounting practices and non-existent earning.

Right. And this is an area where the predictions of economics are spot on. In Akerlof's seminal paper "the Market for Lemons," he predicts that the asymmetry of information can be helped by institutions. In the economics sense, institutions are non-trading, non-2-party market contractual arrangements of long standing to get stuff happening. Professionalism, training, certifications, etc all are slap-bang in the recommendations.

So why don't they help? There's a simple answer: we aren't in the market for lemons! There's one key flaw: Lemons postulates that the seller knows and the buyer doesn't, and that simply doesn't apply to infosec. (Criteria #1) In the market for security, the seller knows about his tool, but he doesn't know whether it is fit for the buyer. In contrast, the salesman in Akerlof's market assumed correctly that a car was good for the buyer, so the problem really was sharing the secret information from the seller to the buyer. Used car warranties did that, by forcing the seller to reveal his real pricing.

The buyer doesn't really know what he wants, and the seller has no better clue. Indeed, it may be that the buyer has more of a clue, and at least sometimes. So professionalism, certification, training and warranties isn't going to be the answer.

Another way of looking at this is that in infosec, in common with all security markets (think defence, crime) there is a third party: the attacker. This is the party that really knows, so knowledge-based solutions without clear incorporation of the aggressor's knowledge aren't going to work. This is why buying the next generation stealth fighter is not really helpful when your attacker is a freedom fighter in an Asian hell-hole with an IED. But it's a lot more exciting to talk about.

Which leads me to one controversial claim. If we can't get useful information from the seller, then the answer is, you've got to find it by yourself. It's your job, do it. And that's really what we mean by professionalism -- knowing when you can outsource something, and knowing when you can't.

That's controversial because legions of infosec product suppliers will think they're out of a job, but that's not quite true. It just requires a shift in thinking, and a willingness to think about the buyer's welfare, not just his wallet. How do we improve the ability of the client to do their job? Which leads right back to education: it is possible to teach better security practices. It's also possible to teach better risk practices. And, it can be done on an organisation-wide basis. Indeed, this is one of the processes that Microsoft took in trying to escape their security nightmare: get rid of the security architecture silos and turn the security groups into education groups [1].

So from this claim, why the flip into a conundrum. Why aren't certifications the answer? It's because certifications /are an institution/ and institutions are captured by one party or another. Usually, the sellers. Again a well-known prediction from economics: institutions to protect the buyer are generally captured by the seller in time (if not in the creation). I think this was by Stiglitz or Stigler, pointing to finance market regulation, again.

A supplier of certifications needs friends in industry, which means they need to also sell the product of industry. It's hard to make friends selling contrarian advice, it is far more profitable selling middle-of-the-road advice about your partners [2]. "Let's start with SSL + firewalls ..." Nobody's going to say boo, just pass go, just collect the fees. In contrast:

In short, the biggest problem in infosec is integration. Education around security engineering for integration would be most welcome.

That's tough, from an institutional point of view.

[1] Of course, even for Microsoft, bettering their internal capabilities was no silver bullet. They did get better, and it is viewed now that their latest products are more secure. FWIW. But, they still lost pole position last week, as Apple pipped Microsoft to become the world's biggest tech organisation, by market cap. Security played its part in that, and it is something of a rather stellar prediction that it still remains better /for your security/ to work with a Mac, because apparent Mac market shares are still low enough to earn a monoculture bounty for Apple users. Microsoft, keep trying, some are noticing, but no cigar as yet :)

[2] E.g., I came across a certification and professional code of conduct that required you to sign up as promoting /best practices/. Yet, best practices are lowest-common-denominator, they are the set of uncontroversial products. We're automatically on the back foot, because we're encouraging an organisation to lower its own standards to best practices, and comply with whatever list someone finds off the net, and stop right there. Hopeless!

Posted by iang at May 28, 2010 10:16 PM | TrackBack

OT but reading through this was struck by the parallels with the personal finance industry in India.

In this case too the seller, usually an agent, doesn't really understand the product (say a mutual fund) well and neither does the buyer.

The 'certifications' route for agents had been adopted by the mutual fund industry, but that hadn't helped matters. Agents continued to sell the product with the highest commissions, ignoring what the buyer really needed.

The regulator took the unusual step of
a. Mandating that buyers can approach the fund house directly at which point no commission can be charged (the fund operating expenses are anyway taken from the asset value)
b. Mandating that the commission amount be payed separately and directly to the agent. Earlier this was hidden from buyers, they paid one amount to the fund house and the fund house paid back a commission to the agent.
c. Mandating that the agent is free to set the commission amount, subject to a max cap. Earlier this was set by the fund house.

This had thrown the whole industry in turmoil. In the end some agents shaved their commissions down and became an 'execution only' route. Others started down the route of becoming overall financial planners for a slightly larger fee. Many smaller agents basically closed down. And many buyers moved to the direct fund house route to save commissions altogether.

There was a large dip in fund asset value growth while this shakeout happenned but this has picked up again. In the end, the jury is still out on whether the buyer is now really better off.

Of course the parallel with infosec ends at the point where a knowledgeable regulator stepped in to make some changes in a regulated industry.

Posted by: AC2 at June 1, 2010 12:52 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.