I have been incensed by certain “pundit” activities through a recent encounter that unfortunately mirrors the frustration I felt 20 years ago as a result of the actions of certain academics where I once taught. The actions of which I refer?
- Sweeping generalizations
- Nihilistic critiques
- An unwillingness to offer or model a solution
Let me give you my recent trigger:
A small company whose security team had announced to a shocked management that they wished to stop using Firewalls and Desktop Anti-Virus because they were ineffective. Probing questions led to a recent encounter that this small security team had with a pundit who professed that these tools were ineffective and new times needed new tools.
Now I’m going to carefully chose my fight here. My issue is in the advice which was presented in an abstract vacuum, devoid of situational awareness and environment. The pundit’s goal to incite thought and discourse through the abrasiveness of the comments unfortunately served this SMB poorly. I do not wish to debate here whether Firewalls or Anti-virus are valuable because there are too many variables to make that a meaningful discussion in a one-sided forum such as a blog. Such a debate will depend upon what you a trying to achieve, the relative effectiveness of the specific vendor’s technology employed, and the effectiveness and appropriateness of the implementation. These are many variables which make the sweeping generalization that “Firewalls are ineffective” quite dangerous.
Yet, as this poor security team understood it, their “ancient” tools had zero value. A one hour question and answer session with the security team (unfortunately in front of management) led to revelations that they had a entered what I call a nihilistic vacuum. They had not considered what controls those tools were intended to provide, what threat and risks were most relevant to their environment and, not surprisingly, they had no strategy beyond the overly simplistic objective of “buying a new technology”. There was no thought of how to address the openings left by their abolition of their only source of network access controls or detection of malicious software. Their new found idealism was directionless and without purpose. This is far from productive, and in a small company, potentially devastating.
What ensued for the remaining two hours was an exercise of modeling how this security team should have reacted to their advice.
I first inflicted some pain by saying that yanking a tool, even if limited in effectiveness, was dangerous if no thoughtful examination is made of what is lost, what is gained, and what will fill the void. What I did next was to model a thought and design process for this team that examined the decision and how they could have approached it far more effectively. Things we discussed:
a) what is valuable to protect here at this company?
b) what are the ways these things are used, handled, or stored?
c) what controls are in place to make sure they are used and protected appropriately?
d) which of these controls will you loose when you abolish the “ancient” technology
e) what designs do you have in place to replace these controls?
f) what level of improved effectiveness and efficiency do you gain from this new design? (and how you can try to model it)
I then showed them that “ineffective” or “ancient” rarely applies to control objectives (such as prevent inappropriate network access to systems, resources and data) without a much greater shifting of heaven and earth. I taught them in the hour I had left that design is an act that we must all undertake, and not to defer this act to some Pundit who lacks the awareness of an environment and goals to make the determination for you.
For those of you wondering about what incensed me 20 years ago; as a Teaching Assistant in two different architecture schools I watched professors launch into scathing reviews of students’ work without a thought given to the student’s or project’s situational awareness. The critique was nihilistic, abstract, and linguistically incomprehensible. The student left with nothing new but tears (or a stiff upper lip). There was no growth from replacing the mistake with a new idea or process, no modeling by the professor of how what they said worked in reality (or a physical world). The student had to grope at random straws to identify the faults in his demolished design (in one case, literally demolished). I rallied against these monstrous outrages then, as I do now.
So all you Good and Bad Pundits, dig deep. Think carefully about what you say, because many hang on your every word. Your words have value, but they also need context. Teach completely and give this context. Be specific and explicit in your critiques. And when you finish with your critique, show how to correct the issues, evaluate effectiveness and model how to find solutions. Inside the context of the InfoSec Echo Chamber we attempt to incite each other to action, but we forget that those who are on the fringe do not always benefit from our battle scars and insights.
I issue this challenge to Pundits because you hold the mantle of leadership through the papers, lectures and conferences which proffer your ideas. Those on the fringe also have the responsibility, but they are the naive, and look to you to overcome this naïveté.
Students, there is no utopia. If you find after you have listened to one of these Pundits you suffer a vacuous nihilism in your InfoSec soul, grab some ABBA, a bean bag chair, and sit down with someone who can explain what it all really means. Unlike unicorns, these people really do exist.
If you need some thoughts about how to do this, I recommend reading Donald Schon “The Reflective Practitioner”, and Chris Argyris “Theory in Practice” (as well as any of his books on direct explicit feedback).