Okay, so everyone attends Steve Riley‘s sessions, and some of them cluster around him wherever he goes at TechEd (at the Spiderman ride at last night’s attendee party, I saw him enter the ride, and the “wait from this point” counter immediately ran up to 45 minutes).
But there’s a reason he’s popular – he speaks to his audience in a very enjoyable and informal manner, he rarely refers to notes or reads from his slides, and he has a lot of good stuff to say. Possibly he has this ability because he isn’t associated with a product group, and therefore doesn’t have to push the latest and greatest piece of software. Whatever the reason, he’s worth going to see.
I managed to catch one of Steve’s presentations, on “Making the Trade-Off: Be Secure or Get Work Done”. This was a great talk, although apparently a number of people have had issues with his discussion of “Security Theatre” at the airports, and in the war on terrorism (it always sounds like “war on tourism” when the President says it, and that does seem like a good description of airport security theatre).
If I had to pick on one complaint about Steve’s session, it would be that I wanted to see a little balance in the first section – while I take Steve’s point that we Security wonks need to talk to business types about the cost savings and/or benefits of implementing security, privacy, integrity and disaster recovery technologies, I think it’s important to re-state what may be obvious to some:
When you’re looking to hire security expertise, make sure that they don’t just want to save money, but they also want to save the world.
If you’re hiring as a security expert someone who only wants to save your company money, that person may be too interested in facilitating the business to consider the privacy of your customers’ data, or to spend an hour making a change that significantly increases security but would take far longer to quantify as a monetary saving. Even if you want to insist that every security change requires a financial report as to its benefits, a security guy who isn’t motivated much by security isn’t going to provide the valuable “devil’s advocate” point-of-view that allows you to truly assess the risk landscape in which you live.
Of course, as Steve’s point was originally supposed to underline, if your security guy cares only about saving the world, and nothing about saving money, you will constantly clash with him about issues where your data simply isn’t worth protecting – where the cost of an exploit or loss is less than the cost of protecting it.
[Is that a scary thought? Yes, it is, at first blush - that somewhere out there is your data, being held and protected by an organisation that says "this data is only worth this much to us, and because it would cost more to secure than to lose it, we don't care to protect it".
But don't panic - there are plenty of safeguards. First of all, your data is generally tied in to hundreds or thousands, maybe millions, of other people. So, the cost of losing your data is essentially the cost of losing the data of your cohorts all combined - lose one, and you've lost them all through the same method. Most loss of customer data is in the thousands to millions of dollars of worth to a company or organisation. Your data is generally safe.]
The bottom line is: when looking for, or training, security staff, try to find someone who wants to be a security superhero, but teach them how to enumerate the benefits of what they’re going to do. There’s always plenty of financially beneficial, security smart changes to be made, so asking him to not make security smart changes that are financially expensive is a matter of prioritisation, rather than one of stopping him from doing security.