I’m well aware of Marcus Ranum’s very considerable contributions to the Information Security space; however, I don’t believe his most recent blog post/whitepaper is one of them. My challenge isn’t with the vast majority of Ranum’s assertions regarding the challenges of Risk Management, the importance of security practitioners communicating the honest truth, and management’s ability to irrationally rationalize away risk. On the contrary, I think virtually all of his observations are spot-on. Rather I am frustrated that Ranum strongly contemplates the position that unless we “throw it out and start over” that we are doomed to perpetual Information Security failure.

I know that Marcus is not alone in his opinion. Our Audit Practice Area Manager has waxed eloquently on the subject to me more times than I would prefer. Further, I will admit there are short stretches where it feels the same way to me. So what’s my beef with “The Anatomy of Security Disasters”? Simply, as one of the few Information Security “celebrities” I think Marcus has an obligation to roll up his sleeves, take a leadership position on the subject, and get the wagons moving back westwards again.

“Throwing it out and starting over” (e.g., 40M lines of legacy code can’t possibly ever be considered truly secure) is impractical to consider – for a number of reasons – most notably it ignores the “business risk” (that dwarfs the Information Security risk of securing what we have in place now) inherent in the proposition. I think the posting ignores the significant advances of the last 5 years. Escalating security incidents are not a reflection of declining Information Security postures, rather, it is a reflection that the threat agents and their (growing fiscal) motivations are increasing at a rate that is greater than our improvement.

Security is by no means where it needs to be yet, but it is definitely better than where it was. We have eight years of client Penetration Tests and audits to demonstrate it. I’m also optimistic that initiatives like ISO-27001, OWASP, and SAMM will continue to move security forward (hopefully at an accelerating pace).

I would strongly encourage everyone to read “The Anatomy of Security Disasters”, there are many, many, well made points. Perhaps none better than the concerns expressed about Web 2.0.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.