back to article Defence in depth: Don't let your firm's security become a boondoggle

Information security (infosec) isn’t a game for amateurs. No one solution will do. Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations. Unfortunately, hiring professionals is no guarantee that …

  1. Roo
    Windows

    "Someone who has a pretty good idea of the fundamentals but whose primary value is that they know what they don't know, but know someone who is an expert in solving a given problem."

    I hope HR depts get the memo on that because they have a habit of classifying people who know what they don't know as weak candidates. :)

    1. Anonymous Coward
      Anonymous Coward

      "I hope HR depts get the memo on that because they have a habit of classifying people who know what they don't know as weak candidates"

      Except for HR people themselves, of course: it's fine if they know nothing about the job in question, they can still filter out candidates that don't tick arbitrary boxes.

      More seriously - Rumsfeld got stick for his "known knowns" thing (wasn't that a NASA thing originally?), but I'd suggest that the ability / willingness to admit there are things you don't know, and even that there might be things you don't know that you dont know, is a fairly good characteristic ?

      1. DocJames

        Upvoted AC

        for Rumsfeld comment - the guy's been a moron since he was working for Nixon; finally says something rational and then gets castigated for it?! Bizarre.

        The most interesting bit is of course the aspect of the quadrant he didn't mention: the unknown knowns - things that are so self evident that you don't even notice you're making those assumptions.

        1. Anonymous Coward
          Anonymous Coward

          Re: Upvoted AC

          have an upvote for the upvote :)

          However, you're right: the things that are so self evident no-one asks twice are often the things that come back and bite you.

          There are other things - like saving money by using a single, "more capable" product to save 50p compared with two different boxes from two different vendors - of course the "management by magazine" crowd will save the money, just as long as they can tick off the feature list from the article they read, regardless of the all eggs in a single vendor's basket etc.

      2. Roo
        Windows

        "More seriously - Rumsfeld got stick for his "known knowns" thing (wasn't that a NASA thing originally?)"

        Rummy got stick from me for that speech simply because it was flannel wrapped up in bafflegab. He could have summarised 20 minutes of bollocks by simply saying "We don't know", so he got a big thumbs down from me for talking shite in an attempt to obscure the fact all his arguments had no logic or basis in fact whatsoever. Worse still, Rummy was waffling, excusing, bullshitting and lying while people (them and "us") were dying as a direct result. Rummy has earned as much scorn as Nixon sabotaging the LBJ-VC peace talks from my POV, I accept that others may differ in their assessment.

        1. DocJames
          Devil

          Paris peace talks

          rather than LBJ's. But I appreciate he would have got credit in the US (and probably then won reelection).

          But (my main point) is it was Kissinger rather than Nixon who sabotaged the talks. See icon for either of them.

  2. simmondp

    Therein lies ruin

    The trick is to understand how to align business strategy to security architecture. Unfortunately having a rough idea and using goggle means you end up with a firewall and some boxes that often inhibit the business and security is thus seen as "the boys that say NO"

    I'm sorry Trevor; "Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations" may be correct for some businesses - but for most this approach is old-hat, and means kludging their architectures to take advantage of BYOD, Cloud, IoT and other such technologies that gives them strategic advantage.

    The most agile companies are 100% cloud, using Chromebooks and BYOD; where is your need for firewalls, layers of technology etc.?? Then actually you need a CISO that understand Cloud Identity and entitlement, not layers defence.

    But then you get what you pay for......

    1. Trevor_Pott Gold badge

      Re: Therein lies ruin

      There are so many layers to how wrong you are that the air around you has flavours.

      Please never practice anything related to IT. In this or any other reality, anywhere in any of the multiverses.

    2. Roo
      Windows

      Re: Therein lies ruin

      "The most agile companies are 100% cloud, using Chromebooks and BYOD"

      "Trotter's Independent Traders" would qualify as a "most agile" company. :)

    3. Throatwarbler Mangrove Silver badge
      FAIL

      Re: Therein lies ruin

      The most agile companies are the ones that are here today, gone tomorrow--that way, they're never burdened by the weight of past successes! Perhaps you should emulate them.

    4. Intractable Potsherd Silver badge

      Re: Therein lies ruin @simmondp

      So, to paraphrase your comment - the most agile companies are those that don't give a toss about the security of their own, or their customers', data because everyone working there wants the latest shiny.

      Nice one, Sir! Have a downvote.

  3. Anonymous Coward
    Anonymous Coward

    Its all about business value.

    InfoSec is cross cutting, should be designed in (with other things such as performance) and fundamentally needs to support the business. IT is only there to support the business, not the other way around.

    No-one quotes how many servers were hacked. They quote how much value the business lost...

  4. a_yank_lurker

    Boondoggle

    The ferals suffer from a massive "not invented here" problem. The fact there is scalable commercial and open source solutions readily available will never cross their feeble minds; assuming they have a mind. They will want to redesign the software instead of investigating what will work and is currently available.

  5. Mike 137 Silver badge

    Infosec?

    Nothing discussed here is really infosec - it's ITsec. ITsec is a small part (maybe 30%) of infosec. Conflating the two is the error that almost everyone makes and it results in a technocentric view that fails to deliver real security however much you spend. Infosec is about management of risk - ITsec is about choosing and deploying defensive technologies. Unless this is done with reference to business risk, it will be at best very expensive and at worst both very expensive and a failure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon