Tuesday, August 19, 2008

Information Security Jedi: Form II Lightsaber Combat

The most elegant and beautiful of the basic forms of lightsaber combat was form II. This form emphasizes clean moves, parries, and thrusts rather than the blocking and slashing of other forms. There is a discipline within information security that can claim the title of being so beautiful and so difficult to master: risk management.

A master of risk management meticulously calculates the probability of some event happening, the damage that can be done from that event, and how much effort the organization must put into mitigating that threat. No wasted movements, no throwing money at the problem to make it go away. If some event manages to do damage to his information, he can rest assured that he put precisely the right amount of effort into stopping that event and go on with life. Practitioners of other forms might beat themselves up for not preventing it from happening.

There are several hallmarks of form II information security combat. The form II practitioner is more likely to develop and use metrics to measure the effectiveness of the controls that have been put in place. This person is also likely to use finance and statistic tools like normal curves and Net Present Value to estimate what must be done to protect the network. Although regulatory compliance is not strictly related to risk management, you will often find that masters of form II are well versed in PCI, HIPPA, Sarbox, GLBA, and other regulations that affect their organization.

Form II is not without its weaknesses. Principle among them is that there is little focus on developing a deep bench of security controls. Once your numbers have justified a control to mitigate some risk, it is difficult to justify more money to mitigate that same risk. This is typically the domain of form III lightsaber combat.

Practitioners of form II are typically senior manager types or security professionasl that come from an accounting or finance background. The accounting and finance field lends itself to the deep analysis required for mastering form II.

As an information security Padawan, I feel that I haven't come close to mastering any of the basic forms of combat. However, I feel that I am strongest in form III. I have only recently become aware of the power and elegance that comes from form II. I intend to study form II more carefully and start trying to incorporate form II into my combat style and possible even master the form.

No comments: