I’m going to play Devil’s Advocate to Alan Shimel’s post titled “Is good enough security, good enough? (Are we the good enough generation?)” which is his opinion on Michael Farnum’s post titled “The reality of why UTM is successful and why compliance can hurt security.” Yes, you have some reading ahead of you.

First I’d like to say I agree with Alan’s main point that security isn’t something to half-bake or to take lightly and there are plenty of shops out there, which are doing one or both and the rest of us have to deal with the crap their networks spew onto the Internet.

I also should say my opinion is strictly on the private sector. Public companies have to play by a different set of rules and since I have no experience in the public sector I can’t fairly speak about it.

However Alan is painting with very broad strokes here by stating its a ‘generational’ problem. What my shop of 1,200 users can afford to do about security and what a backbone provider can afford do about security are two very different things. For example; only this year could my company justify my salary as a dedicated IT Security staffer and I’m the only one they have. Everyone else who works with me on security issues is performing multiple roles and security isn’t the primary one. Since they’re primary roles are things like Network Manager, or help desk, that means they don’t have the training or education in security that I have, which means they may not know that there is so much more they can be checking besides patch and AV levels.

When you think about the cost of security you can’t just think about the devices you’re throwing on the network and I’m sure Alan didn’t mean to do that, he’s a pretty smart guy. The cost of security includes the man hours that go into designing policies, the man hours that go into designing secure system builds, the man hours that go into meetings to disseminate information from the security team to the IT team to the users, etc. If a company can’t afford to pay their IT staff for all of this, the IT staff have to make do, which is to do what is ‘good enough’ with the money they are given. Sure I’d like to buy a BMW that practically drives itself, but my Mitsubishi gets me to and fro and I can justify the cost of the Mitsubishi but I can’t necessarily justify the cost of a BMW.

Security is risk management driven by what a company can afford. Ergo for shop like mine that is a partnership with about 1,200 employees; solid patch management, antivirus, appropriate policies, and some IPS devices is certainly good enough, which is a good thing because that’s all we’re going to get funded. The folks who pay the bills are aware of the risks, they are aware of the measures in place to manage those risks and in some cases they accept risk based on the recommendations they get from the team I work with. Yes, someone can walk into our office with a laptop and get a DHCP lease, fire up metasploit, and own many of our systems. That is a risk the partnership is willing to accept, therefore the shiny new NAC system I would like to have isn’t getting funded but a HIPS solution for all of our laptops is, because guess who has laptops? That’s right, all the partners. And that makes sense because on those laptops is intellectual property and trade secrets, therefore I need to mitigate the risk of loosing that data when those laptops are connected to a public hotspot or a client’s network or what have you.

That’s what we security people do. We manage risk based on what our company will pay to manage and we accept the other risks that our company wants us to accept. The people who pay our salaries and pay for our solutions are the one’s who decide what is “good enough.” Its our job to make sure they have enough information to make an informed decision.

Michael Farnum hit it on the head in the original article that Alan is commenting on. Michael said

“I contend that the UTM is so attractive because “good enough” is what many (not most, but maybe not far off) security people are looking for in their security because they are strained and pulled and stretched and yanked in so many directions that “good enough” is all they have time for.”

But unfortunately he then says “Call it lazy or whatever, but the truth is there.” He ruined his previous statement with this one. Lazy is what someone is who knows what to do, can do it, but chooses not to simply because they don’t feel like it. Much like Michael himself said “The Blogger people royally screwed up some of my formatting during some maintenance they were performing today, and I am just too dang lazy to go fix it!” That’s lazy. But not having the time, the expertise, or the backing to do something isn’t lazy.

Dude, fix the list, it was a good one!

The core problem here is that security is still underfunded. Companies aren’t spending the money they need to get the job done right. This isn’t a generation of slack security guys. Its a generation still learning what it means and how much it costs to be secure.

That’s exactly the point Michael came to at the end of his post when he said “So, what’s the answer? To both problems above, the answer is more staff, more money, and more training put directly towards security.”

Bingo. We aren’t the ‘good enough’ generation. We’re the ‘underfunded’ generation.