I have a thing for metaphors. I wrote my dissertation on them. And they have helped me enormously as a non-engineer working in IT security.
Metaphors are powerful tools (that’s a metaphor, by the way). Literally referring to something as something else enables us to make mental connections between concepts that are not really the same. War and weapons have proven historically useful metaphors. In wartime, everything changes. We look at the situation, our opponents, and even ourselves very differently (I like the image of a noble warrior on the battlefield more than that of a guy who spends most of his day sitting and typing…)
But metaphors also cause trouble, especially when we use them to over-simplify. I am skeptical of “security as war” metaphors, including that of the arms race. The metaphor detracts from the very real threats of cyber- and information warfare. War doesn’t define security any more than war defines firearms. Unless we are specifically talking about threats from nation states (and a few other actors) using information technology as part of armed conflict, we are not talking about war. And this is not what we are usually talking about in information security.
So why use war? Well, it’s a great metaphor and it can really fire up the base. When I’ve seen security practitioners use it, they often want to get people passionate, to inspire action, to shout, “Get moving! Can’t you see we’re at war?”
But for me, the war metaphor is rooted in hopelessness. War is and should be a last resort. If you find yourself at war, chances are that all other alternatives have failed. I hear this hopelessness echoed by colleagues, and recently the metaphor has changed. They say we are not only at war, but we’re losing (or have already lost). I sat on a panel not too long ago and listened as the speaker to my left, the CTO of a security company told me that traditional security efforts meant nothing anymore, and you might as well turn off your firewall. The speaker to my right, a security consultant, told us the “bad guys” had won and he thought seriously about moving to another country (without extradition) and changing sides. I didn’t ask Mr. Left if his company had turned off their corporate firewall because I already knew the answer, and I didn’t really believe Mr. Right because, call me optimistic, but I prefer to think that most people are not actually sociopathic.
“Security as war” has another flaw in that, if an arms race adequately describes the problem space, then logically war and weaponry might also provide some solutions. Here the metaphor really breaks down. I don’t think security vendors view themselves as “arms dealers.” And I believe regulating IT around its potential weapons value is a bad idea for society and commerce (didn’t we already try it once with cryptography)?
Let me float an alternative metaphor: instead of an arms race, I propose that information security is about pain management.
In “security is war,” we’ve lost control against an adversary determined to destroy us. In “security is pain management” we can get some of that control back. Some acute pain can be avoided by living less recklessly. As an individual, maybe I need to stop BASE jumping and find a safer hobby. As a company, maybe I should reconsider letting my employees carry unprotected laptops all over the world. The war metaphor lets us push responsibility for harm off on some enemy outside our control. But too often within security we contribute to our own pain when we make reckless decisions. To mix metaphors, if security is war we often walk into battle naked. And we get upset when we get hurt.
In many cases we have even more control over chronic pain, even if the pain is still very real. Back problems run in my family, and I suffered for years before realizing that the only way out was preventative: daily exercise and stretching. If I don’t do these things, my back starts to hurt (chronic). Eventually, my back goes out, leaving me unable to move (acute). I see many customers with chronic information security pain. Managing that ‘pain’ requires daily discipline, and a focus on small details. Policies and required configurations must be regularly enforced and reviewed. Monitoring and surveillance must be continuous as the organization looks for the minor pains or anomalies that could signal the beginning of a bigger problem. The goal should be to minimize the problems you can control, the ‘chronic pain’, in order to devote your limited resources to addressing those problems that are truly out of your control, your ‘acute pain.’
So perhaps we can take the apocalyptic rhetoric down a notch. Maybe, instead, we could get a physical, eat a little better, and exercise more. In security, this might mean having a Security Posture Assessment done to figure out how “healthy” we are, then building a vulnerability management program to change our IT lifestyle and start addressing our information protection problems.
“Security treated as pain management” doesn’t make security easier, but it does make it less fatalistic. If we work hard to incorporate security into our daily operational lives, then many of our pains can be prevented or at least made more manageable. Getting rid of minor pain lets us focus on more serious problems. Like those adversaries and threats that really do want to hurt us badly.