What should the new czar do? (Tanji’s Security Survey)

by adam on August 19, 2009

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

My three:

  • De-stigmatize failure. Today, we see the same failures we saw yesterday because we don’t talk about what went wrong. We laugh and point fingers. We need to admit that everyone gets hacked, get over it, and start talking about how it happened and what we can do to learn from it. (This isn’t the same as accepting failure, it’s saying that we understand it happens, and starting to distinguish between what failures might be in our control, and how to expound that set.)
  • Gather data. This is a mirror to the de-stigmitization of failure. The czar should gather as much data as they can on a need-to-share basis, starting with federal systems. What happened? How did the failure manifest? Were there controls in place? Were they credible? Were they managed and monitored?
  • Shoo the mathematicians. No, not shoot, shoo. Send them off the pedestal for a while. Security is a social value, and as a social value, we need to study the human aspects of it like we did at the workshop on security and human behavior. [Update: What I really want is not to eliminate math, but to move to a diverse set of analytic tools. Of course we need math to analyze data, but I think we've gone too far with mathematical models, proven security, and need more engineering rigor. Engineering rigor is obviously based on math, but not done by mathematicians.]

These three goals are possible from a bully pulpit. They don’t require a lot of budget. (Heck, the datalossdb.org guys do it on a volunteer basis.) They’ll be transformational in the way we approach security.

Bonus fourth task: fine anyone $20 each time they say “best practices.”

What’s your take? What should the czar be trying to accomplish?

[Update: Pete Lindstrom takes up the challenge in "If I were a Czar." Who else wants to take a whack at it?]

5 comments

If you don’t use math or best practices, what do you endorse?

by Pete on August 19, 2009 at 1:32 am. Reply #

I didn’t say don’t use math, I said without data there’s nothing useful for them to do.

by Adam on August 19, 2009 at 2:09 am. Reply #

Love the post Adam. We need a requirement for something like NTSB style accident reports in state breach notification laws.

by Dave Hull on August 19, 2009 at 1:35 pm. Reply #

Ditto Dave Hull

by Alex on August 19, 2009 at 2:44 pm. Reply #

The systematic deception of security threats ought to be number one.

by Pete Etep on December 22, 2009 at 10:44 pm. Reply #

Leave your comment

Not published.

If you have one.