- BlogInfoSec.com - https://www.bloginfosec.com -

The Misleading Nature of Schneier’s Security Mindset

Recently Bruce Schneier wrote an essay on the Security Mindset [1]. In it he wrote:

Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.

He further wrote:

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.

While I agree that certain security roles involve thinking about how things can fail (and be made to fail), that’s not the full picture. In particular I disagree that thinking about how things fail is not natural for engineers and, conversely, that how to build things is not natural for security professionals.

For the first case, imagine an engineer that is building a bridge and does not consider whether or not the suspension cables will sustain the weight of the roadway beneath. Clearly in building a bridge there is also the consideration of the consequences of not building it correctly. Engineers may not maximize the way they develop failure paradigms — trying to figure out every way one’s design could be subverted — but that does not mean they do not think about failure.

For the second case, it’s best to turn to corporate and government security needs. Security people want to figure out how to best architect solutions so that employees can securely access their desktop remotely, monitor log events throughout the enterprise, reduce costs through using VPN solutions, etc. Corporate security people in particular can no longer be the “No” person, but the “Here’s how to do it securely” person. And with this latter approach, architecture and engineering is part and parcel of the security professional’s toolkit.

Reducing the security mindset to “an attacker, an adversary or a criminal” is to limit the paradigm of security to one general class of security roles: namely, the auditor. To phrase this more as a whitehat, to think like an attacker is to constantly conduct a vulnerability assessment, which (again) is an auditing function (despite which corporate function conducts it).

The strict model of “the security mindset as only an attacker” may have been appropriate pre-2001. Since 9/11 and Sarbanes-Oxley, engineers are increasing expanding their understanding of security requirements and information security professionals are increasingly focusing on how to enable businesses securely. Granted that the two circles of the Venn Diagram will never full overlap, but they are increasing doing so and are overlapping more now than ever.