Here are three principles regarding how security evolves over time within a given industry or space.
The more noticeable security functionality is to a user of a system, the less mature its security.
The sexier security seems within a given space, the less mature its security.
The more effort required to take the secure option when building or using a system, the less mature its security (a.k.a: the Distance from Default).
Stated differently, security is at its best when it’s invisible, automatic, and boring.
Consider for a second the analog of building safety. Walk into any modern skyscraper in a big city and you’ll find some pretty remarkable things. The way in which the structure is built, the way the electrical work is done, the hundreds of inspections that take place on a regular basis, the dozens of types of insurance and certifications involved, the documentation, the test plans, the safety procedures, and the unwavering demand for complete documentation.
That’s in every building. Every. Single. Time.
But how noticeable is this safety to most? Not at all. How sexy is it? Not at all. And how ad-hoc is it? Not at all. It’s invisible to users, it happens by default as part of the build process, and it’s unbelievably boring.
That’s how we know building safety is in an evolved state.
So the goal of InfoSec should ultimately be to get to the level of insurance, accounting, and building inspectors on the scale of being noticed, being automatic, and being interesting. That’s when we will know we have won.
As a security practitioner who is driven primarily by passion this is disheartening to me, yet I am compelled to push towards the goal nonetheless.
It seems that in security, just as in life, maturity brings stability and efficacy, yet nearly everyone can be expected to sometimes pine for the folly of youth.
Alas, we know what high-maturity security looks like, and it’s not terribly exciting. The chaos and stupidity of a space’s InfoSec maturity are directly linked to the wonder, magic and awe of practicing security in that field, and as one declines so does the other.
So if we cannot have InfoSec maturity, let us at least appreciate the magic that the chaos brings us while it lasts.
This translates nearly perfectly to safety.
There are situations where visibility is a key aspect of a security measure, and in those cases the first rule would not apply.
Each time we enter into a new space that needs to be secured, the evolution of noticeable, ad-hoc, and sexy starts all over again. So there will be plenty of opportunities for InfoSec to be interesting in other areas.
Image from http://brunelsecurity.co.uk.