Sometimes an obsession over any one security approach, whether it's policy or a specific technology, can be a very unhealthy thing overall.
"Your Ahab needs to get the complete backing of upper management and then work constructively with his users to educate them about the policy so that they want to follow it."
Recently I've been preparing for a course on Information Security Management I'll be teaching this summer at Webster University in St. Louis. To prepare for it, I've been poring through the textbook, looking at web sites, reading government and industry policy documents and, of course, examining the instructor's manual that came with the textbook. At the same time, during my moments of relaxation, I've immersed myself in Herman Melville's Moby-Dick, or, The Whale, yet again. Thinking about the two very topics of infosec security and Moby-Dick, I came up with an interesting analogy that causes me to ask security professionals: is there a white whale in your organization?
For those who don't remember the story of Moby-Dick, it's a 19th century epic about the voyage of the American whaler Pequod around the world. Ahab, the obsessed captain of the Pequod, seeks vengeance upon Moby Dick, the seemingly malevolent white whale who amputated Ahab's leg in an earlier, near-fatal encounter. After months at sea, encounters with other whaling ships, the hunting of many whales, and more information about every aspect of whales than you ever thought you'd read, Ahab finally finds Moby Dick. After an exciting three day hunt, Moby Dick sinks the Pequod, assists Ahab in his ironic death, and then disappears, essentially unharmed. The crew of the Pequod perish, except for Ishmael, the narrator of Moby-Dick, who is rescued by another whaler.
Obsession about policy and security
Moby-Dick is not an allegory, or a one-for-one representation; in other words, it would be silly to say that "Moby Dick = nature" and that "Ahab = obsessed humanity," and leave it at that. At the same time, I think it's instructive to think about the characters of Moby-Dick in light of what they tell us about the people with whom we work, live, and interact. I'm betting we all know an Ahab in our jobs as security pros: imagine him as a manager or security professional obsessed with one single thing, to the detriment of your other security needs.
For instance, maybe your security "Ahab" is focused to the nth degree on policy, and demands utter adherence to it no matter what the circumstances. As we all know, mandated policy without the buy-in of users and management is doomed to failure. Your Ahab can rant and rave all he wants about the necessity of following a given policy, but if users perceive it as unjust or unreasonable, or don't really have the training to understand the why's and how's of the policy, they'll ignore it... or worse, actively subvert it. Your Ahab needs to get the complete backing of upper management and then work constructively with his users to educate them about the policy so that they want to follow it. When policy is implemented correctly, it can be a very useful tool.
Perhaps your Ahab's white whale is one particular technology. Perhaps even an operating system. Maybe it's Windows, Linux, or Mac OS. Maybe it's a security product, such as a technology from Symantec, McAfee, CA, or Sourcefire. Maybe it's an open source or proprietary software focused on network scanning or penetration testing. Or maybe it's even an obsession about one particular area of focus such as IDS, pen testing, or log analysis. Either way, it's easy to get an overweening fixation on one distinct area of technology to the exclusion of all others, even if those others make better business or technological sense.
This warning doesn't apply to security technicians, of course, who are expected to focus like a laser beam on one limited area -- and often on one vendor and its products. Instead, I'm talking about those entrusted with a larger security picture, mid- and senior-level managers who should seek to maintain a broader field of vision for the good of their users, their clients, their organizations, and yes, their careers.
My security technology, process and procedures are better than yours?
Ahab's "sins," as Melville portrays them, are monomania - a pathological obsession with one idea - and hubris, or overbearing pride. This is a dangerous combination, especially in technology, and most especially in security. It's seductively easy to become convinced that one particular technology is the best -- always, in every circumstance -- and frankly, the efforts of vendors to fund studies that "prove" that this approach really don't help. Add to this the tendency of technical folks to be very certain of their knowledge of all the technical details, especially as compared to non-technical managers and users, and you start to create a recipe for disaster.
Security is about looking at the big picture. If you're in a management role, you certainly don't want to be an Ahab yourself. My suggestion for avoiding such a disaster? Keep your reading broad and your mind open, be always open to new techniques and tools, and seek to honestly discover, understand, and then remove your blinders. And like a good ship's captain, remember that your first duty is to the welfare of the ship and your crew as a whole, and not to your particular obsession.