What is security? Is it a mindset? Is it a measurable and actionable posture or position? Or is it a
bit of both? People, as a race, learn from doing; they learn by example. Ingrained into our psyche
is a process that builds new information upon previous knowledge as we learn. As Isaac Newton
said, “If I have seen further than others, it is by standing on the shoulders of giants.” Basically,
we bring in a foundation of old information as we process new information.
But this does not always work in our favor, particularly in the area of technology. Technology
has a way of exposing the flaws in past ways of thinking by filling in the gaps between human
assumptions. Technology answers many of the questions that, frankly, were previously
answered by ad-libs. I think the relationship between science and religion also exemplifies this
quite well. As more technological advances are made, more things about the world that were
previously explained by divine intervention, or magic if you will, are demystified. The people
who came up with these answers were revered as some manner of guru and were held in a
position of regard. Some were indeed gifted and contributed to the well-being of others with
their insight and wisdom. And some were a bunch of jackleg gurus making up stories in the
absence of wisdom, insight, and altruism—or they were simply snake oil salesmen. My intent
is not to be prophetic, but rather to make the suggestion that we need to focus on making clear
distinctions between the lessons that history holds that provide true value to information security
(infosec) and the ones that are simply a bunch of crap.
A security strategy needs to plan for and respond to incidents as moving targets on a sliding
scale. Vectors and targets will change as technology changes, and as revenue sources for criminals
dry up, new ones will be scouted out. Attacks against users and modes of behavior in a
home-usage environment will migrate to mobile scenarios as both individuals and businesses
conduct more and more business via cell phone. But while the attacks change with the targets,
what remains constant are the fundamental building blocks of security, which I believe are
security in depth and least privilege. The reason for this is because I have been writing about
this subject for decades now and these two security concepts have remained as reliable and
dependable as they were years ago.