Copyright © 2002
can be thought of as being inversely related to complexity. There was a time as recently
as in the 1970’s when the concept of security, particularly security
related to cryptography was a black art. The operations were simple
because they were contained within a black box. The applications were
simple because the problems were point to point. The essential idea
from an employees perspective was that there are published corporate
policies and if you needed help you called the security officer. The
security officer would take a look at the problem, ask you what happened, assure
it was within regulation, tell you not to do whatever you did and record the
incident. That was about it. The centralized hardware and procedure
was supposed to take care of the problems. Competence was hard wired.
As long as you had a badge, nothing much could go wrong if the people
involved were good guys. In the 1980’s, things began to change.
Computer arrived and people began to think in different terms. Processing
could now take place independently of authorized procedures because things got
“soft.” Data could be
aggregated into information and information aggregated into knowledge. Half
dozen small books of critical knowledge could suddenly be created and put into a
shirt pocket. The policy of checking for sensitive documents by
their classification as people went out of buildings became impossible. To
compensate people were voluntarily supposed to have magnetic media passes. Backup tapes were soon included.
In 1990’s, personal computers began competing with personal laptops
so the magnetic media paperwork began to include laptops and their drives.
Then came writable CDs and now writeable DVD’s. During this time, the
computers were intranet-worked and then internet-worked. The connection speed
became easier and faster than access to a drive. Then
came instant messaging. By now the security concepts of the 70’s was
sunk. In the background of all of this escalation grew the concept that
cryptography could somehow solve all of this and bring back the good old
days of centralized security.
It was easy to think that if we could just find a way to transparently secure drives, and encrypt all documents and network links then the solution would be at hand. The trouble was that things got faster, applications changed, operations changed. Embedded cryptographic security processes were not universally inherent within the operating and networking systems. Even the secure operating systems were found to be wanting. There were holes. There were security patches to plug the holes. There were security patches to plug the security holes in the security patches. The security systems prevented the users from using software and hardware that was most useful. There were dozens of passwords required for applications. Cookies were created to authenticate users and machines.
This is the
kind of instantaneous metamorphosis of technical hodgepodge we exist within
today. Change will happen just as
rapidly tomorrow. Solutions to security are fragmented because they
remain incremental. Policies are fragmented because they are
security was being treated like components of a stereo system. The gaps to
security do not become coherent because they exhibit themselves as
conceptual gaps within the collage of interdependent subsystems. Any
idea that a true security competence might emerge from this fragmentation sounds
foolish without a more cohesive conceptualization of security.
you an idea of the historical dilemma, something significant becomes obvious.
Standards are not enough.
I would like
to begin to explain the four pillars that are necessary for a foundation of
security competence and how security certification might exist in the future.
four things, technical competence can be achieved.
Security competence must begin with a more fundamental philosophy about the
ethical nature of security. Security is not only about policing problems;
it is about organizational fairness and welfare. It is about
instilling a just opportunity for internal operational solutions to
rise to the top. Moreover, security is more about belief in people than
skepticism of people. The philosophy must exist in writing and must be
both preached and kept constantly in practice or it will be forgotten.
Integrity must be expressed as a statement of order and as a statement of
Security competence must no longer be based on technologies that turn over
every eighteen months. It must be based on the premise that there exist
underlying rational processes that justify transactions, rather than logic that
may authenticate individuals or systems. This kind of justification is a
much larger concept that includes appropriate levels and means of
authentication. Justification means real-time observation and
responsive documentation. It is a means of making relative the historical fact
with the present. It means projecting a proactive urgency that is based on
performance because security is about effectiveness.
3. Language: Security
competence must take advantage of language in order to communicate reasoned
associations. The approach I am speaking of now is not about a new
form of techno-speak for security consulting embalmers and arbitrators.
It is about establishing and replenishing a richer and deeper language of
understanding. It is also not about the historically incremental
considerations of language. What I am saying is that if new words are not
adequate or relevant than new words are required. Security competence
cannot be based on double meaning terms from the dim past that are
difficult to get a handle on. Recursive concepts are necessary within
a recursive field but that only means that maintaining security
competence requires that language is constantly maintained and updated.
4. Inclusion: Security
competence should be based on standards that are inclusive rather than
exclusive and include both relative human and organizational objectives. By this, I mean that security must
include and be included within the concept of performance, not protection from
nonperformance. This means that competence be derived from
participation within rather than exclusion from participation. Some may
consider this a costly thought, but I say that it is a necessary idea.
It is necessary because the objectives of organizational performance must be
a part of organizational competence.
Now we put these concepts all together. As security experts, we need to think in terms of a Rational Language revolving around an Inclusive Philosophy. This is a very different way of thinking. It affects the choices we make for selecting problems as well as the choices we make in solving them. It is a coherent way of thinking because it removes the blinders through which we have institutionalized the potential solutions we have to select. Instead of technical reductionism to the absurd, a more balanced and more encompassing approach can be integrated into the fabric of the communication process. For those of you who do not know the distinction between communication and communications, I suggest that you should give it some thought. It is the difference between what is possible for security and what we have today.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved