In the current Alarmed column at CSO Magazine, Scott Berinato accuses the Information Security profession of failing to protect Corporate Management from themselves, calling it our “Waterloo” and, “the overwhelming defeat of security.”

Companies not only have failed to secure personal data, they can’t secure personal data. The range of technologies available today is in fact incapable of producing an acceptable level of security. The IT infrastructure that business runs on is so flawed, technically and socially, that nothing, no number of security products, can be slapped on post facto to secure personal data.

I agree with him here. It was an “overwhelming defeat of security.” But if he wants to pick a battle, I am still hopeful that it will turn out to be Security’s Battle of Dunkirk.

Information Security has indeed suffered a grave defeat. Our methods and tools are not able to evolve as quickly as the threats. The potential impact of an incident keeps growing. New worms like Witty are giving us a taste of how lucky we have been to date just as old worms like Code Red continue to remind us every month how hard it is to kill these things off once and for all.

Yes, these are dark days for Information Security. It seems like every time we turn around, we read about another major privacy incident. At the same time as our traditional perimeters are eroding we are under siege from malware, crackers, worms, spyware, spam, spim, social engineering and more. Longstanding Best Practices for securing infrastructure no longer hold true.

Internally, we are expected to produce ROI justification for security-related initiatives, effectively asking us to Prove a Negative (hint for those who never took logic: You can’t). Security’s involvement in the IT process has been pushed back to a “Security Review” which consists of nothing more than running an Operating System vulnerability scanner against the servers a day or two prior to Go-Live.

Across the board, the risk and security practitioners I talk to feel like they’re being asked to do more with less, often with the result that they feel their company has assumed avoidable risks either unnecessarily or accidentally because Management was unwilling to (ironically) risk the possibility that proper Risk Management practices would drive up costs or reduce revenue from an initiative.

Look back to the article for a good example:

ChoicePoint’s spokesperson for this incident was its CMO. A brazen choice, a cynical semaphore that said to customers and shareholders and everyone else, “We’re going to spin this.”

Reprehensible, perhaps, but it makes sense. It’s just the logical extension of marketing’s dominance over IT in the first place. Long ago, in an era called the dotcom boom, marketing finally neutered information security. Vendors promised “solutions” to Kool-Aid-drinking marketing veeps. Those veeps in turn promised to alchemize revenue out of consumers’ private information. Go, said the CEO. Buy these technologies, collect this data and we shall dominate and our stock prices will soar.

We may have been pushed off the continent but we’re still in the fight. We’ve got new weapons and allies in the fight thanks to Sarbanes-Oxley (For financial processes and systems) and SB1386, GLB and HIPPA (for disclosure of privacy breaches, credit card handling, and medical privacy). CFO’s are a lot less willing to ignore (assume) risk now that their freedom could be on the line if they sign off on inaccurate financial statements.

Even the threats are starting to help us out. When its significance is properly explained (rapid spread+highly destructive nature+nature of systems impacted), the Witty worm makes a very powerful example of the importance of proactively managing the risk associated with patching and worms. Intrusion Prevention and Anti-virus systems don’t do much good if the vulnerable system has been trashed hours before the signatures come out. In this context, reactive mitigation technologies are a lot less reassuring.

Sure, Information Security is taking the blame for the loss. We have historically done a poor job of Managing Risk because it’s been more about making lists and doing math, whereas “Security” mostly involved Playing With Toys.

We have been played for fools by our own Management. They told us we should “manage the risk” and we agreed to it. We were so happy risk was being managed at all that we forgot to consider whether or not it was our job to do it. Then, when Management overruled us, we were still left holding the bag.

But we’re wiser now. We understand that there’s a lot more to Information Security than technology. We’ve got new laws on our side, new methodologies for assessing risk, and we’ve learned a lot about how to Play The Game.

We’re regrouping and when we hit the beaches, I hope it will be our finest hour.

While I haven’t read the column yet, your quotes seem to show that he’s believing in security by technology… As the saying goes: “If you think technology can solve your problems you don’t understand technology and you don’t understand your problems.”