Tuesday, June 12, 2007

And Now for Some Bible Education (Part 2)

So.. how does that affect us?

I find in some cases it makes sense to take a hard line on something and not compromise. Sometimes you also just know the answer. You can't really be certain of your security posture if you have 20% of all passwords being "password", sometimes you have to compromise a bit - you have to allow some traffic through your firewall.

I like to think that I am more of an Aaron person - I find it easier to analyse, debate and discuss than research and enforce. Which makes me a pretty good Information Security consultant. I have different people, with different agendas all coming at me and I need to find a balance.

I fully expect those people to have the agendas that they do and while things can get heated when someone doesn't understand why I can't fully agree with them, I actually prefer them to have strong ideas. That way I can make a good decision.

Every InfoSec consultant will be stuck in the middle of a few factors, the CSO who wants everything perfectly secured (pull out the Internet cable and lock the doors), the CIO who wants everything up and running and the CEO who doesn't care as long as business gets done. You also have 1,000,001 vendors who all think that their product is perfect and does everything. You have the law makers who want to push laws that protect everyone. You have your wife and kids who want you at home all the time (or at least every night and weekend). Another example is ISACA who believe everything can be solved through risk analysis.

And the sad truth is that you can't make all of these people happy. You have to compromise.

Each of these people is a "moses" - they know their point exactly. They see the world in black and white. A technical salesperson (assuming they are trustworthy and their product is reasonably competent) will know all the good about his/her product. They know all the bad it can eradicate and the risks it can mitigate. They may know about competitors products and how choices were made - some companies decided to use agents, some use no agents. They will stand by their products. They will not budge and so they shouldn't.

I do have a bit of bias and where I can I push Open Source software but I am aware that it doesn't work for everything and that is where I take my Moses cap off and put on an Aaron cap. I know how good Check Point's firewall software is but when it comes time to do NAC I need to judge fairly.

Speaking of Open Source software - the community is made up of people who are Moses-types and Aaron types. Richard Stallman is very much a moses type. Linus Torlvalds is more of an Aaron-type when it comes to license issues but more of a Moses-type when it comes to some aspects of kernel programming.

They are both successful because they have managed to be the kinds of personality they need to be when they need to be that kind.
Post a Comment