Everything Old is New Again…
November 15, 2010
There’s a common theme among the last couple of posts on here: first, I ranted about SANS new Securing the Human program, and then Josh got all ranty about Forrester’s “Zero Trust Model”. Here’s the thing – my biggest frustration with both of these “innovations” in our industry is that they’re nothing new. Both SANS and Forrester are reinventing the wheel and running around claiming it to be something new.
To wit – let’s take a quick Back-to-the-Future gander at two interesting paragraphs. From Forrester’s site about the ZTM: ”In today’s new threat landscape, this is no longer an effective way of enforcing security. Once an attacker gets past the shell, he has access to all the resources in our network. We’ve built strong perimeters, but well-organized cybercriminals have recruited insiders and developed new attack methods that easily pierce our current security protections. To confront these new threats, information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter.”
Then, let’s walk all the way back to 2004 to view the mission statement of the Jericho Forum: “The Forum is dedicated to the idea that success in today’s business environment is dependant upon the ability to collaborate and do business by enabling the secure flow of data over the Internet. Its members recognized from the outset that today’s business requirement for the flow of data between mobile workforces, customers, suppliers and business partners, is increasingly eroding the ability of traditional perimeter security solutions to protect our systems. To enable business to embrace the Internet while protecting valuable company information, our industry needs new IT security models.”
Whoa. It’s like the Jericho Forum was talking about this whole “Zero Trust”, no-perimiter, the-outside-is-the-inside thing all the way back in 2004. Forrester’s only a HALF A FREAKING DECADE BEHIND.
SANS is even worse. The demo content on their Securing the Human page isn’t much more advanced than your average Successories poster. And the videos actually make this circa-90s video look good:
The frustrating thing about it all is that we have these security vendors claiming to be advancing the state of the practice, when they’re really just running around peddling the old solutions that have failed the industry in the past (or, in Forrester’s case, peddling something that was state of the art 6 years ago as something that they just came up with on their own).
Here’s the thing – some of us are actually out there doing interesting new work. It gets lost at times in the noise of those who are better at self-promotion (or have much larger PR budgets).
As an example, I’m consistently impressed with the work that Rob Cheyne and his team are doing over at Safelight Security – there’s nobody better for security awareness video content. But you’ve probably never heard of them, unless you’re working with them and seeing them get results for your organization. Our partners at Lockpath are similarly doing awesome work in the GRC space. But, again, unless you’ve had the opportunity to actually implement Keylight and see how it changes your security management strategy, you probably haven’t ever heard of them.
That, to me, is what we should be measuring our success on: results with our clients. That’s how I measure our success at MAD. It’s also why I get so completely ranty when I see someone taking ideas and content circa 5-10 years ago and claiming that they have great new ideas.
