We need to talk about IT

It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.

As we have moved from huge engineering programs to build computing systems that last for 25 years or more to smaller projects that deploy in months and ultimately to agile continual development with a constant trickle of change in hours we have made trade-offs. The misunderstanding of the Faster, Better, Cheaper (FBC) approach that assumes only two of those characteristics can exist at the same time has become almost an excuse for failure and the reason for bish-bosh IT that expects to be replaced so quickly that no real thought is given to long term implications. In choosing to believe only two of FBC is possible IT has invariably chosen Faster and Cheaper. There are much vaunted business reasons for this; time to market, failing fast, responsiveness to stakeholders, efficiency and in many cases those are measurable benefits of the approach but it is worth noting that the high-profile adopters of FBC, NASA [PDF], found that it was possible to achieve all three characteristics in a an approach that reflects much of what has later come be called Agile.

There is a problem though. That problem is being brought into the light by cyber security. We are increasingly finding ourselves in a dogfight with organised criminal groups or sometimes state-sponsored militia who worked out that automation, service-based extended enterprises and aggressive outsourcing gets them inside our Observe-Orientate-Decide-Act (OODA) loops. For security professionals that has meant an increase in the importance of monitoring, threat intelligence, analytics and other technologies or activities that contribute to our situational awareness to improve our Observe and Orientate as well as a focus on our incident response plans and capabilities to improve our ability to Decide and Act. As we decrease the time to get round the security functions OODA loop we are discovering that protecting an enterprise from cyber attacks requires us to run in ITs OODA loop and that’s a problem.

IT has been been building multiple systems to deliver the local maxima value where the business function or team exists. IT has also been building these localised systems quickly and cheaply, eschewing better as unachievable. The result is our enterprises are complex systems of systems, the management platforms for our enterprises are themselves diverse, complex, incomplete and slow. We don’t know where all our IT is, we don’t know what it does and we can’t change it or patch it safely either in coverage or timely enough to affect our adversary’s OODA loop. One of my clients, in an admittedly huge financial services business, reported that his IT function had deployed over 44 million patches in the previous year. That doesn’t scale using the management tooling and platform design that IT tends towards to meet local maxima value.

When I raise this I sometimes get told “there’s nothing we can do”, “the business doesn’t care about the complexity they care about pace”, “that’s just the way it is”. I don’t buy it. There are now global scale cloud businesses or social businesses (Amazon, Salesforce, Google, Facebook, Twitter, Yahoo etc) that have faced down this problem and by not accepting the limitations of traditional small-scale, local maxima focused, IT and have built platforms to deliver the global maxima value for their enterprises. Not systems of systems but true platforms onto which they deploy their applications, some in a much more agile manner than most large enterprises dare come close to yet. Their success at automating and managing the security of their IT platforms is in sharp contrast to the ongoing visible failures of the management of security in systems of systems enterprises relying on a patchwork of localised systems to deliver value.

We will eventually convince the security vendors to allow us to automate our security controls, we will professionalise and normalise situational awareness and we will develop a cadre of capable and prepared incident responders but until IT designs truly Faster and Better and Cheaper platforms for the global maxima value of the enterprise rather than the local maxima of the individual business function our limitations will be those of IT.