Friday, July 26, 2019

Hardening to death


A quote from the novel Stalker (A&B Strugatski):

Let everything that's been planned come true. Let them believe. And let them have a laugh at their passions. Because what they call passion actually is not some emotional energy, but just the friction between their souls and the outside world. And most important, let them believe in themselves. Let them be helpless like children, because weakness is a great thing, and strength is nothing. When a man is just born, he is weak and flexible. When he dies, he is hard and insensitive. When a tree is growing, it's tender and pliant. But when it's dry and hard, it dies. Hardness and strength are death's companions. Pliancy and weakness are expressions of the freshness of being. Because what has hardened will never win.

I am somehow ready to share this opinion, but let me explain first.

This could be true in the cyber environment, when we observe it from the field of an expert's mindset.

When you find out that your system (computing or other set of interacting or interdependent components forming an integrated entity) is weak and exploitable, you want to harden it. You don't want to lose the control over it. You do your best and you put your personality in stake. This is what we call professionalism. You guarantee your decisions with all your knowledge and skills. Your organization relies on you and your expertise, and you do not want to fail and prove your skills inadequate.

So, the further you go with hardening without any setbacks, the more you believe in your skills and the less you are to believe in your failure. If you are reluctant to give someone a try to test your skills, which is quite understandable when you are in senior rank, the less you get objective response.

You keep hardening and hardening, you face some challenges but you find a way to manage it. Of course because you have been doing it for a long time.

But the more you harden your system, the more precise it comes to you. It becomes too big to lose. When you realize that your system is too big to lose, the higher walls you build around your system.

You have been using your resources to harden up your system, but how much did you take part of the every-day life outside the boundary? Did you protect your system to death? Did it become obsolete? Did the surrounding world change so much that you couldn’t fit your system into it? Did the surrounding world change so much that the assets you were supposed to protect did not need your protection any more and the business turned against you?

This might be a true story in many companies and agencies when considering the business needs of mobility, facing the inflexible security standards. Yesterday it was cloud computing against own premises. Today we talk about taking your business data into AI.

You are allowed keep your cyber security job only because of the need of compliancy, but the assets are somewhere else than in your System.

While Stalker is a good sci-fi novel, it is also a criticism to the soviet system. As a totalitarian system it was hardened. And as we know, it did not serve the purpose. The security did not meet the needs of the assets, while we consider the individual and his rights as the asset of the system. Other's security was more valuable than the others.

What we least need is self-sufficient admins and security professionals. Question your decisions, ask for breaking up your security architecture. Live with your assets and take care of them - not your system.


No comments:

Post a Comment