Photo Credit: Leshaines123 via Compfight cc
After the First World War, the science of land-based conflict evolved through both studies of the world war and through technological advances: namely, the tank. Looking back now at what went on then in the Somme and in other places on the European continent, it all seems just a horrible, senseless, purposeless waste of human life. How on earth could anyone, ever, think it would be a good idea to order hundreds of thousands of soldiers to leave the relative safety of their trenches upon the signal of a whistle, and then walk or rush towards the waiting enemy machine guns that promptly proceeded to convert human lives into so many puddles of lost hope?
It. Seems. Absolutely. Retarded. Surely, someone has to take the blame for this historical spot of shame on humankind? Someone has to be responsible, and to have been held responsible. But who? The captain or major in the trench, blowing the whistle, knowing full well what would happen? The lieutenant threatening to shoot anyone who didn’t follow their mates up? The regimental headquarters deciding which battalions to have at the front and which to hold in reserve? The overall command, the commanding general drafting and ordering the attack? Whichever professor or general designed this type of warfare? The enemy for starting the war or not surrendering? There is an inherent asymmetricality in one general being able to order so many to lay down their lives with one single command, so maybe he’s the one to blame? Or not.
Let’s move the analogy into Infosec. Let’s move it into the context of my blog on the poor CISO (chief information security officer) being dissed by CIOs in a recent survey – (http://blog.peerlyst.com/cios-dissing-cisos-dinosaurs/).
I don’t think it’s fair to blame a CISO for a security breach anymore than you can blame a soldier for biting a bullet on the field of battle, especially if he’s not given the tools to do his job. Blame whoever the CISO reports to, or the board or CEO. Or learn that Infosec is an asymmetrical conflict between attacker and defender and approach it strategically, empower and aid the CISO in evolving past trench warfare into a defensible security posture. And then learn from failures and improve.
