Defence in depth: Don't let your firm's security become a boondoggle Information security (infosec) isn’t a game for amateurs. No one solution will do. Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations. Unfortunately, hiring professionals is no guarantee that …
"Someone who has a pretty good idea of the fundamentals but whose primary value is that they know what they don't know, but know someone who is an expert in solving a given problem."
I hope HR depts get the memo on that because they have a habit of classifying people who know what they don't know as weak candidates. :)
"I hope HR depts get the memo on that because they have a habit of classifying people who know what they don't know as weak candidates"
Except for HR people themselves, of course: it's fine if they know nothing about the job in question, they can still filter out candidates that don't tick arbitrary boxes.
More seriously - Rumsfeld got stick for his "known knowns" thing (wasn't that a NASA thing originally?), but I'd suggest that the ability / willingness to admit there are things you don't know, and even that there might be things you don't know that you dont know, is a fairly good characteristic ?
for Rumsfeld comment - the guy's been a moron since he was working for Nixon; finally says something rational and then gets castigated for it?! Bizarre.
The most interesting bit is of course the aspect of the quadrant he didn't mention: the unknown knowns - things that are so self evident that you don't even notice you're making those assumptions.
have an upvote for the upvote :)
However, you're right: the things that are so self evident no-one asks twice are often the things that come back and bite you.
There are other things - like saving money by using a single, "more capable" product to save 50p compared with two different boxes from two different vendors - of course the "management by magazine" crowd will save the money, just as long as they can tick off the feature list from the article they read, regardless of the all eggs in a single vendor's basket etc.
"More seriously - Rumsfeld got stick for his "known knowns" thing (wasn't that a NASA thing originally?)"
Rummy got stick from me for that speech simply because it was flannel wrapped up in bafflegab. He could have summarised 20 minutes of bollocks by simply saying "We don't know", so he got a big thumbs down from me for talking shite in an attempt to obscure the fact all his arguments had no logic or basis in fact whatsoever. Worse still, Rummy was waffling, excusing, bullshitting and lying while people (them and "us") were dying as a direct result. Rummy has earned as much scorn as Nixon sabotaging the LBJ-VC peace talks from my POV, I accept that others may differ in their assessment.
The trick is to understand how to align business strategy to security architecture. Unfortunately having a rough idea and using goggle means you end up with a firewall and some boxes that often inhibit the business and security is thus seen as "the boys that say NO"
I'm sorry Trevor; "Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations" may be correct for some businesses - but for most this approach is old-hat, and means kludging their architectures to take advantage of BYOD, Cloud, IoT and other such technologies that gives them strategic advantage.
The most agile companies are 100% cloud, using Chromebooks and BYOD; where is your need for firewalls, layers of technology etc.?? Then actually you need a CISO that understand Cloud Identity and entitlement, not layers defence.
But then you get what you pay for......
InfoSec is cross cutting, should be designed in (with other things such as performance) and fundamentally needs to support the business. IT is only there to support the business, not the other way around.
No-one quotes how many servers were hacked. They quote how much value the business lost...
The ferals suffer from a massive "not invented here" problem. The fact there is scalable commercial and open source solutions readily available will never cross their feeble minds; assuming they have a mind. They will want to redesign the software instead of investigating what will work and is currently available.
Nothing discussed here is really infosec - it's ITsec. ITsec is a small part (maybe 30%) of infosec. Conflating the two is the error that almost everyone makes and it results in a technocentric view that fails to deliver real security however much you spend. Infosec is about management of risk - ITsec is about choosing and deploying defensive technologies. Unless this is done with reference to business risk, it will be at best very expensive and at worst both very expensive and a failure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
