Connect with us

Hi, what are you looking for?


Management & Strategy

It’s Okay to Fail – Security is a Problem That Can’t be Solved

It’s okay to fail. This may sound radical, but I would argue that the information security community isn’t failing enough. Or rather, we as a community are failing passively on a continual basis, rather than failing actively. The difference between passive and active failing is key. Allow me to elaborate.

It’s okay to fail. This may sound radical, but I would argue that the information security community isn’t failing enough. Or rather, we as a community are failing passively on a continual basis, rather than failing actively. The difference between passive and active failing is key. Allow me to elaborate.

Consider the famous, though often misattributed quote: “The definition of insanity is doing the same thing over and over and expecting it to come out different.” Although this statement was not made in reference to information security, its relevance to our field is striking. Pundit after pundit, expert after expert, thought leader after thought leader, conference after conference, and so on paint a dire picture regarding the state of information security. The threat landscape is imposing. The risk to organizations is real. The consequences are increasingly severe.

IT Security FailureWhile there are clearly exceptions, most information security professionals hear the message loud and clear. We know that we face serious challenges that we need to overcome. We know that we face formidable problems that we need to solve. We know that the status quo is not working. Additionally, leaders and executives outside of the security profession are increasingly beginning to grasp and grapple with the gravity of the situation. True, there is still a long way to go until awareness is where it needs to be, but more and more, we as a community have the world’s attention and focus. The question is, what will we do with this attention and focus?

Will we squander our newfound attention and focus by ridiculing those who don’t yet understand? Will we fail to eloquently articulate and communicate our constructive suggestions for improvement? Will we continue to insist that every non-traditional, outside-the-box approach is folly? Or will we realize that for decades, conventional wisdom and the status quo have led us to the same results. Not surprisingly, the same approaches that have always led to disappointment continue to lead to disappointment. This is passive failure, and passive failure is not okay.

What’s missing from the hype and hysteria is action. There is plenty of talk out there, but unfortunately, there is very little action. Or to be more precise, there is far too little practical, hands-on material that security professionals can leverage as part of an effective action plan. I would argue that it’s no longer enough to stand up and speak only about the challenges and problems in the information security realm in the name of raising awareness. In my opinion, any talk also needs to spell out constructive steps for action. Practical, tangible, realistic approaches raise far more awareness than Fear, Uncertainty, and Doubt (FUD) ever have.

Will every idea, approach, technique, and methodology suggested or proposed work effectively? No, of course not. But I would argue that by doing nothing other than trying the same old approaches repeatedly, we merely continue our passive failure. Isn’t it time to try some different approaches? How will we know what might help us address challenges and solve problems if we never try anything new? This is active failure, and this is how progress is made in other professions, most notably science. If at first you don’t succeed, try, try again.

Now, am I saying that we should just throw caution to the wind and try every idea, approach, technique, and methodology we can possibly think of? No, of course not. We need to be scientific and methodical about how we approach the challenges and problems of security. It’s okay to take risks, but it’s not okay to take stupid risks.

As I’ve discussed in previous SecurityWeek pieces, “security” is not a problem that can be solved. It’s too broad, vague, and ambiguous a topic. Rather, like any formidable challenge or problem, the topic needs to be broken down into smaller problems that are solvable.

Advertisement. Scroll to continue reading.

In my pieces (in SecurityWeek and elsewhere), I’ve always tried to present logical, rational, constructive steps for improving an organization’s security posture. I am not alone – there are others who do this as well. I may not always succeed in eloquently articulating my message, but I am trying to walk the walk. Many people have noticed this and have provided me kind feedback. I am grateful to have had an opportunity to help some people through my writings. If I list out the common themes of some of my pieces, I am hoping that it illustrates this point, as well as provides some reference, at least as a starting point, for the reader looking for action:

• Breaking security down into enumerable and achievable risks, goals, and priorities (“Is Security an Unsolvable Problem?”)

• Including additional context around alerting to facilitate better decision making and increased efficiency (“Security Operations: Moving to a Narrative-Driven Model”)

• Working towards improved information sharing, despite obstacles and resistance (“Understanding The Challenges In Information Sharing”)

• Tips and tricks to help with “Integrating Actionable Intelligence

• Leveraging more relevant alerting (“Throw Out The Default Ruleset”)

• Capturing relevant event information before it disappears (“The Event Horizon: Examining Enterprise Security Blind Spots”)

• Remembering that “Not All Intrusions Involve Malware

• The importance of performing root cause analysis (“Root Cause Analysis: Stop Playing Whack-a-Mole”)

• Gearing up to face the challenges of tomorrow (“Will Technology Replace Security Analysts?”)

• Considering the differing value of different data sources to security operations and incident response (“Incident Response: Focus on Big Value, Not Big Data”)

• Including the business case and expected outcome with your information security arguments (“The ‘So What?’ Factor of Information Security”)

• The importance of “Using Relative Metrics to Measure Security Program Success

• Keeping the signal-to-noise ratio high enough to provide value (“Security Operations, What is Your Signal-to-Noise Ratio”)

• What you do with your security budget is just as important as how large your security budget is (“Is Budget A Good Security Metric?”)

• Writing more targeted alerting (“Spear Alerting: Improving Efficiency of Security Operations and Incident Response”)

• The importance of asking the right questions (“Always Answer a Question with a Question”)

• Remembering that both collection and analysis are equally important (“Collection and Analysis: Two Sides to the Coin”)

The past few decades in the information security field have been dominated by passive failure. Clearly, not every new idea has merit, but those ideas that come about scientifically and methodically have tremendous potential to improve the state of security. Only through active failure can we as a community progress. We as security professionals can once again look to science as a model. It’s time to break the box wide open.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...