

Cybersecurity’s Human Factor: Lessons from the Pentagon - jackgavigan
https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon

======
jka
None of the lessons presented here are necessarily incorrect, but it's very
interesting the way this article is attempting to assert a rigid military
approach to security in the private sector.

The most creative and effective organizations nowadays are arguably the ones
in which traditional rules and protocols are eschewed for newer more fluid
processes (agile/rapid iteration instead of waterfall, flatter hierarchies
instead of top-down authority, reward for creativity and experimentation
rather than pipelined design and production, and so on).

I'd argue that this article is suggesting that large institutions are the ones
that need to adopt this rigid approach to security - but they're already
likely struggling to attract tech/security talent, and this kind of
environment isn't going to foster it (or maybe I misunderstand those talent
pools).

In addition, some of the suggested guidance basically eliminates any kind of
opportunity for fun or exploration during the job - which might be possible
for some small subset of extremely dedicated operations engineers and security
staff, but isn't going to work for the other 90% of day-to-day employees.

I'm wondering if there's some kind of disconnect or incorrect perception of
the world of IT from the author(s) here. Or it may be a bid/attempt to build
some kind of reputation for authority in the area.

~~~
dsfyu404ed
I think you're missing the point. The author is advocating for a well defined
set of policies and procedures and users that understand and follow them. The
point of this is to create an environment where the security people get the
info they need (from users) to do their jobs and the infrastructure (including
users and policies) are set up in a way that lets them do their jobs.

Big companies have a more to lose and deeper pockets so they're more likely to
give big paychecks to security people. Regardless, few organizations pay
anyone in support roles well, security is no different.

The main point is that you need users who aren't afraid to say "hey WTF is
this?" and a system that can back that up by evaluating $this and taking
appropriate action across the entire network.

Speed is key but the waterfall/agile models are way too simple to apply at a
high level. The workflow bears more resemblance to this:
[http://franklinstreetwebserver.com/wp-
content/uploads/2010/0...](http://franklinstreetwebserver.com/wp-
content/uploads/2010/04/Afghanistan-powerpoint-graphic.jpeg) because you've
got a different path of actions taken for each event and making the decisions
at each point as quickly as possible is key but there's often so many moving
parts that a very rigid set of procedures is needed to ensure consistency.

If someone's workstation crypyo-walls a network share there's how many
different moving parts involved in the cleanup?

------
rc4algorithm
I stopped reading after the first paragraph:

> From September 2014 to June 2015 alone, it repelled more than 30 million
> known malicious attacks at the boundaries of its networks.

Someone told them about SSHGuard and pf, I presume?

