Parallels between the Titanic and IT Security

Unbelievably awesome stuff by Guerilla CISO via Anton Chuvakin:

...the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind [...] the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.

This is where I see the parallels between root causes of the Titanic disaster and the odd situation we find ourselves in today in terms of IT security. Security by checklist –especially out of date checklists—simply doesn’t work. Moreover, the entire mental framework that mixes up accounting practices and thoughts with security discipline and research is an utter failure. Audits only uncover the most egregious security failures.

Compliance is a double-edged sword. For many security teams, especially those who work in an organization without a CISO or CSO to help cut through red tape, actual enforcement of policy is hard to do. Many of us aren't given any "teeth" so we're restricted to a bunch of hand waving and hollering and tantrum-throwing whilst being unable to actually make things more secure. Compliance can be used to acquire funding and hopefully get some traction on enterprise security initiatives. Security needs more than compliance, though. This is a great (but overtly dramatic) example of that.

blog comments powered by Disqus