Re-imagining Information Security Standards
Tuesday, September 22nd, 2009Hollywood calls it “Re-imagining”. The creative types call it “rebooting”. We might settle for “re-thinking”. But since it seems to be all the rage these days to take a second look at a subject, I thought I’d apply the concept to one of our favorite topics, Information Security Standards.
RE-IMAGINING INFORMATION SECURITY STANDARDS
Hollywood calls it “Re-imagining”. The creative types call it “rebooting”. We might settle for “re-thinking”. But since it seems to be all the rage these days to take a second look at a subject, I thought I’d apply the concept to one of our favorite topics, Information Security Standards.
I admit that this is an incomplete thought, but I’d like to share it with you for two reasons:
1.) At the end of a podcast I was part of recently, one of the other panelists challenged our industry to stop whining about our current state of affairs and do something better.
2.) To request your feedback on the idea.
So here’s my thought: if we’re going to re-imagine InfoSec standards, as if we could do it all over again, I think there are three basic requirements any standard needs in order to be useful at all:
1.) A standard must provide for its own obsolescence/evolution (falsification and a transparent falsification process must be built in)
2.) A standard must provide means of measurement (both for the outcome of the standard, and to measure the quality of standard adherence)
3.) A standard must reference, and be able to be referenced in, vernacular and in measurement (the language of the standard has to make sense to other standards)
RE-IMAGINING INFOSEC STANDARDS: THEIR NATURE
Digging right in, if we want to re-imagine standards we might start by reviewing the fundamental nature of what a standard is. In a very real sense, our standards are models. As such, any standard is only a hypothesis about how to keep our information confidential and available while maintaining its integrity. But if we’re going to (finally) acknowledge that InfoSec standards are models/hypotheses, then we need to embrace a fundamental premise behind scientific theory: a model or hypothesis is meant to be tested, falsified, and evolved. As such, our new view of InfoSec standards would require that we keep whoever developed the standard (or its current custodian), accountable for that scientific method.
Science Requires Falsification and Innovation
Now ideally, we’d have two things built into the concept of accountability. These two ideas would mean that the standard would provide for its own obsolescence or evolution, and are the premise behind my first usefulness requirement, “a standard must provide for it’s own obsolescence/evolution (falsification and a transparent falsification process must be built-in).”
1.) The InfoSec standard itself should have a falsification process built into them. The standard might describe the pursuit of falsification, what falsification/failures for the standard might look like, and provide us with the means to report a probable failure.
2.) The standard custodian should provide transparency and reporting about that falsification process. Practitioners would have up to date knowledge about failures so that they can keep an eye out for them in their own environment, and hopefully be able to offer a modification to or alteration of the standard based on new information. So whether this is just “patching” the standard or if it leads to a whole new hypothesis, we (the InfoSec community) would at least have visibility into a need to “re-secure”.
RE-IMAGINING INFOSEC STANDARDS: THEIR PURPOSES
Related to our examination of fundamental nature, let’s think about what InfoSec standards are a model *of*. We said that they are models we build to help us with our quest for maintaining the C, I, and A of our business data. In that regard, we might suggest that they are about Information Security “engineering” and management. In other words, design and implement practices to ensure C, I, and A and then establish practices to maintain the desired level of C, I, and A. But if you’re building a control framework or understanding how you should best operate it, both disciplines require the use of measurements. This then necessitates the development, use, and reporting of metrics (indeed, the concept of measurement would be very useful in the scientific method process above).
The Purpose of Standards Requires Measurement
So while we’re re-imagining InfoSec standards, let’s imagine this: standards that tell us not only how to measure the standard’s outcome (secure enough) in a state of nature assessment, but also how to measure the actions that cause “secure enough” – what we might call the quality of standard adherence. This gives us my second standards usefulness requirement, “a standard must provide means of measurement (both for the outcome of the standard, and to measure the quality of standard adherence)”.
This way (and only in this way) we might know that by having expended X amount of effort for compliance to the InfoSec Standard, it produced Y amount of outcome. Then people who implement the standard can discuss how they got Y+n amount of outcome for X-z amount of effort thanks to some new control, or how they are consistently seeing Y amount of outcome from year to year regardless of whether they spent X-1 or X+1 amount of effort, and so on. But we are at the point, as an industry, where measurement is not just desirable – these days it’s actually necessary.
RE-IMAGINING INFOSEC STANDARS: PLAYING NICELY TOGETHER
Finally, since we’re trying to describe a new way of looking at security standards, maybe we could discuss the creation of a means by which models might be able to contribute information to each other.
You see, my belief is that Information Security, as we’re able to describe it right now, is too complex for one over-arching textbook sized model. Rather, I believe that we’ll be more effective if we break the big problem up into smaller, more digestible chunks. So practitioners of the various operational security duties can actually focus on their area of expertise, and not try to be masters of multiple domains (specialization is good, they say).
Standards Must Communicate To Have Aggregate Value
However, if we took the time with a whiteboard to try to paint a picture of all the components of organizational security (talking about the various areas of security specialization in sort of an object oriented sense, if you will), I’m betting we’d see that each area of security needs to be able to share information with others in a meaningful manner. So Software Development processes need to exchange information with Vulnerability Management, who needs to talk to Intrusion Detection/Prevention, who needs to talk to Incident Response, and so on. Now if we can establish rationalized metrics for the models (above), then ideally we’d be using a common security taxonomy, or at least using translation documents provided by the standard that would allow us to use one disciplines metrics (prior or posterior) if relevant to another discipline. This gives us my final standard requirement, “a standard must reference, and be able to be referenced in, vernacular and in measurement (the language of the standard has to make sense to other standards)”.
Carrying that idea forward, it would probably be a great thing to have multiple competing models in any specific field, and wouldn’t it be wonderful if the language and meaning that they used were the same or easily translated (other than measurement models, obviously)? So we would have an idea of comparative (in)effectiveness between competing models!
MOVING TOWARD A RE-IMAGINING
Yeah, so I’ve described a dream world of candy cane trees, rainbows, and happy unicorns. Sure. And I know it might take a generation or two of security professionals to get there. But that doesn’t mean we can’t start now, and start with our current standards bodies – especially within the context of the pursuit and transparency of falsification and the development of meaningful metrics. All it takes is the will to try and the willingness to fail. As my co-presenter David Mortman and I said at Black Hat this year, “Models don’t have to be perfect, just ego-less”.Hollywood calls it “Re-imagining”. The creative types call it “rebooting”. We might settle for “re-thinking”. But since it seems to be all the rage these days to take a second look at a subject, I thought I’d apply the concept to one of our favorite topics, Information Security Standards.
I admit that this is an incomplete thought, but I’d like to share it with you for two reasons:
1.) At the end of a podcast I was part of recently, one of the other panelists challenged our industry to stop whining about our current state of affairs and do something better.
2.) To request your feedback on the idea.
So here’s my thought: if we’re going to re-imagine InfoSec standards, as if we could do it all over again, I think there are three basic requirements any standard needs in order to be useful at all:
1.) A standard must provide for its own obsolescence/evolution (falsification and a transparent falsification process must be built in)
2.) A standard must provide means of measurement (both for the outcome of the standard, and to measure the quality of standard adherence)
3.) A standard must reference, and be able to be referenced in, vernacular and in measurement (the language of the standard has to make sense to other standards)
