Gartner Blog Network


Three Epic “Security” Mindset Failures (“ignorance is bliss”)?

by Ben Tomhave  |  May 6, 2014  |  2 Comments

I don't care if it's a bug or a feature as long as Nagios is happy

I saw this graphic a couple weeks ago while trolling Flickr for CCby2.0-permissioned images and it got me thinking… there are a number of mindset failures that lead us down the road to badness in infosec.

Consider this an incomplete list…

  • As long as [monitoring/SIEM] is happy, you’re happy.
  • As long as [auditor/checklist] is happy, you’re happy.
  • As long as [appsec testing / vuln scanner] is happy, you’re happy.

I’m sure we could all come up with a few dozen more examples, but for a Tuesday, this is probably enough to start a few rants… 🙂 Part of what triggered this line of thinking for me was the various reports after the retail sector breaches about tens of thousands of SIEM alerts that were presumed to be false positives, and thus ignored. Kind of like trying to find a needle in a haystack.

(Image Source (CCby2.0): Noah Sussman https://www.flickr.com/photos/thefangmonster/6546237719/sizes/o/)

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.


Thoughts on Three Epic “Security” Mindset Failures (“ignorance is bliss”)?


  1. bill says:

    Agreed that there is no Single Point of Happiness. For InfoSec folks on the edge of burnout and/or exasperation, can you recommend an approach to make infosec practitioners less unhappy? Or at least “comfortable”?

  2. Ben Tomhave says:

    Hi Bill,

    Probably not, at least in terms of making people “happy.” I just don’t think it’s possible with most security professionals. We tend to be a rather unhappy lot. 🙂

    Ultimately, I go back to fundamentals… we need to quit fighting with the business and instead focus on enabling it… we need to stop being the “department of no” and instead be internal consultants, helpers, facilitators, etc.

    I touch on this, and prioritization, a bit in an early blog post here:
    https://blogs.gartner.com/ben-tomhave/incomplete-thought-the-unbearable-bear-escape-analogy/

    Specifically, here’s the priority stack I’ve been using lately:
    1) Exercise good basic security hygiene
    2) Do the things required of you by an external authority (aka “things that will get you fined/punished”)
    3) Do the things you want to do based on sound risk management decisions

    At the end of the day, everything needs to make sense, and choosing to do those things has to be an easy decision whenever possible. Our recent paper, Security in a DevOps World,” also talks about this notion.

    cheers,

    -ben



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.