Comments on: The Best Question In Information Security http://newschoolsecurity.com/2010/02/the-best-question-in-information-security/ The Blog Inspired By The Book Wed, 08 Feb 2012 09:21:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Russell http://newschoolsecurity.com/2010/02/the-best-question-in-information-security/#comment-930 Russell Tue, 02 Feb 2010 20:34:11 +0000 http://newschoolsecurity.com/?p=1310#comment-930 Contrary to my contrary nature, I'm going to agree with everyone! Ian's great question focuses attention on why all the time, money, and brilliance invested in purely engineering solutions haven't made us more secure. (Ian uses the term "security as a science" to mean crypto algorthms, purpose-built security devices, trusted computing architectures, etc., which I call "engineering solutions"). If your only tool is a hammer, every problem looks like a nail. When in doubt, get a bigger hammer. Gunnar's "Cui bono?" question puts a spotlight on the incentive systems that perpetuate this unproductive cycle, and also other maladaptive cycles in Information Security. The best way to break the cycle is to change the incentives. Sir Adam's great question is the ultimate test for all InfoSec efforts -- "how's it working for you?". I like Gunnar's and Jared's adds because the emphasize the forward-looking nature of security decisions, plus the essential uncertainties and necessity of continuous learning. OK now... how about a group hug!!! :-) Contrary to my contrary nature, I’m going to agree with everyone!

Ian’s great question focuses attention on why all the time, money, and brilliance invested in purely engineering solutions haven’t made us more secure. (Ian uses the term “security as a science” to mean crypto algorthms, purpose-built security devices, trusted computing architectures, etc., which I call “engineering solutions”). If your only tool is a hammer, every problem looks like a nail. When in doubt, get a bigger hammer.

Gunnar’s “Cui bono?” question puts a spotlight on the incentive systems that perpetuate this unproductive cycle, and also other maladaptive cycles in Information Security. The best way to break the cycle is to change the incentives.

Sir Adam’s great question is the ultimate test for all InfoSec efforts — “how’s it working for you?”. I like Gunnar’s and Jared’s adds because the emphasize the forward-looking nature of security decisions, plus the essential uncertainties and necessity of continuous learning.

OK now… how about a group hug!!! :-)

]]> By: jared http://newschoolsecurity.com/2010/02/the-best-question-in-information-security/#comment-925 jared Tue, 02 Feb 2010 04:49:10 +0000 http://newschoolsecurity.com/?p=1310#comment-925 oops, forgot greater/less than symbols are html tags... I meant to say, “are you getting the outcomes you want and how do you feel about getting *new predicted outcomes* in the future." oops, forgot greater/less than symbols are html tags… I meant to say, “are you getting the outcomes you want and how do you feel about getting *new predicted outcomes* in the future.”

]]> By: jared http://newschoolsecurity.com/2010/02/the-best-question-in-information-security/#comment-924 jared Tue, 02 Feb 2010 04:44:58 +0000 http://newschoolsecurity.com/?p=1310#comment-924 Gunnar, Your add is great. For me, I alter it a bit to read, "are you getting the outcomes you want and how do you feel about getting in the future. Using the new school tactics I like to make a case how the control landscape should adjust to the threat landscape. I'm ok with the business choosing not to change. I'm not ok with being surprised. Gunnar, Your add is great. For me, I alter it a bit to read, “are you getting the outcomes you want and how do you feel about getting in the future.
Using the new school tactics I like to make a case how the control landscape should adjust to the threat landscape.
I’m ok with the business choosing not to change. I’m not ok with being surprised.

]]> By: Gunnar http://newschoolsecurity.com/2010/02/the-best-question-in-information-security/#comment-922 Gunnar Mon, 01 Feb 2010 16:54:53 +0000 http://newschoolsecurity.com/?p=1310#comment-922 I agree - Are you getting the outcomes you want? is a better question than cui bono (tho yours loses the cool Latin thing). If we can add - Are you getting the outcomes you want *and* do you feel confident about getting those outcomes in the future? Then I will vote for that. I agree – Are you getting the outcomes you want? is a better question than cui bono (tho yours loses the cool Latin thing).

If we can add – Are you getting the outcomes you want *and* do you feel confident about getting those outcomes in the future? Then I will vote for that.

]]>