The Security Management, Hypocratic Oath
I swear by Apollo the Physician and Asclepius and Hygieia and Panaceia and all the gods, and goddesses… I will apply dietic measures for the benefit of the sick according to my ability and judgment; I will keep them from harm and injustice. I will neither give a deadly drug to anybody if asked for it, nor will I make a suggestion to this effect….
-From the Hypocratic Oath
Imagine an operating room. The doctors and nurses come in, the anesthetist and the specialists. In the next few hours, they will perform major surgery, working as a finely honed machine to save the life of a patient. The scene is a familiar one from shows like ER, House or even General Hospital, and we’ve seen it countless times in movies the world over.
To get to this point, a lot had to happen. The medical staff had to have tens of thousands of hours of training. Equipment was manufactured from around the world – surgical tubing, precise scalpels, clamps, electronics, computers, wires and even things like the metal for the table, the tiles of the wall and floor and even the temperature regulation and air filtering. Finally, the medical breakthroughs throughout the ages brought the right wisdom to these people to get the job done right: every motion, every word, even every thought in some cases coordinated in a way that no one Human being could do as effectively alone or without all the other parts to make something like a heart transplant or bypass surgery possible.
That’s not to say that surgery can’t happen without these ingredients…but do you want to be on the table if any of them is an iota out of place?
This is complexity. It’s also collaboration, coordination and the best that we as a civilization can accomplish in many ways – and in some cases it’s routine.
There’s a point in my setting the scene like this. Any discipline when sufficiently advanced will exhibit many of the same traits, building as Art Coviello mentioned on Tuesday in his keynote, on the shoulders of giants. The painful work of building wisdom, learning to work together and establishing procedures for what once seemed impossible can eventually make miracles commonplace.
This is as true for security as it is for medicine or putting a person in orbit or even building something as truly breathtaking as a modern jetliner.
I was once asked in an interview about the “art of security,” and I imagine at some point in the distant past an aspiring doctor was asked about the art of medicine: but we are no longer in the dark ages of our discipline: it’s time to advance security not just from an art to a science but to make the act of risk management and of making security a reliable, repeatable and even commonplace discipline that solves the insoluble and addresses the challenges of the future.
That takes management.
This is the heart of the security management announcement today from RSA. Why does Archer need to be more closely linked to a SIEM system (like enVision or, frankly, any SIEM system in place from any vendor)? Because just like the doctor in my story earlier who wouldn’t be making the miraculous commonplace without the instruments around her, so too the vital functions and roles within an organization (i.e. admins, security professionals and executives – and by that I mean the people accountable for reducing risk at the highest levels of an organization) need to see the equivalent of heartbeat, blood oxygenation, blood pressure and so on. Before the scalpel goes near the patient, the hypocratic principle of “first do no harm” requires us to know the consequences of our actions.
Why are services an emphasis in the announcement? Because ultimately, people have to form the glue between the textbooks and the practices, just as in the medical example there has to be an agent that knows the patient and has all that knowledge to bring to bear when a real cure or action is needed in the medical scenario.
We owe it to the patient (i.e. the shareholders) to get really good, really predictable and really disciplined.
That means building our collective wisdom.
That means working together.
That means new standards.
That means new practices.
That means new voices asking – no, demanding – new capabilities from the industry in general and to connect tools in ways that don’t distract or detract from the quality of care given.
That means pushing for incremental improvements in communication, coordination and collaboration, just as the medical sciences advanced and operationalized improving the lives and health of patients steadily over the generations.
Art also spoke on Tuesday about the opportunities introduced by what most of the world sees as a challenge: cloud computing and virtualization (the real tool that makes the cloud pragmatically more efficient and effective) at first glance makes those accountable for risk despair, but the truth is that this is our chance to shine and to do security management right.
I work for RSA, but most of you know that I am first-and-foremost a security guy. It’s with great pleasure then that I see this as about more than a vendor (no matter how happy I am with being an RSA employee). This isn’t about a vendor and their products (which by the way are great!): it’s about us advancing the state of the art…and making miracles and the impossible eventually commonplace.
The new Security Management Working Group (headed up by Raymond James’s great CISO Sam Ghelfi) is a big part of doing this;, and I personally as well as in my capacity as an RSA employee intend to help drive it forward in any way I can.
This is where security gets exciting!
