A little while back i commented on Marcus Ranums HiTB talk "Cyberwar is Bullshit!". I ended the post with the words "Ranum is indeed much better than this..". Ranum spoke recently at Source Boston, and his talk [The Anatomy of Security Disasters] indeed shows this is true..

If you are in the industry to make a quick buck, or because it beats flipping burgers at McD's, you probably dont need to, but if you are involved with security decisions at any level, then you really should take a few minutes to digest his talk.

If i have any criticism of the piece, it is simply this: Ranum frames the issues in terms of computer security, but actually the behavior he describes is pretty symptomatic of dysfunctional management in general.

"there is a huge disconnect between what management hears and what they are told — a disconnect so severe that senior management .. can deride security practitioners as "whiners" while still expecting them to enable business securely"

His timeline of a disaster is spot on, and im sure is something that will cause vigorous head nodding from readers all over the planet:

"At the beginning of the disaster, a bad idea is proposed. Often, someone immediately tries to shoot it down, or point out its flaws. In very rare corporate cultures, the idea dies there and the whole disaster is averted. More typically, the bad idea survives - as does the trail of Emails pointing out the initial flaws.

..

Next comes the most interesting part of the disaster. Suppose management is duly and accurately apprised of the fact that the idea is bad. If the idea is something management really wants to do, there is sometimes a period of negotiation, or re-tuning. The idea bounces back and forth and has various tweaks applied to it, but two important things remain:

1. 1. It is still a bad idea.
   2. It is going to happen anyway.

Then comes the most crucial part of the disaster: the point at which management's expectations begin to form a reality gap. Generally, this happens because management believes it has set out some objectives, and does not realize that those objectives are being renegotiated because the basic objectives are literally impossible or simply ridiculous.

Up in the corner office, they see people working hard on making the idea come to fruition, plans are being made and considerations are being weighed. The trade-offs that are being made, which place the organization at risk, are being somewhat improved with compensating controls, but nobody has been able to break it to the corner suite that we're still dealing with a fundamentally bad idea. More importantly, still, the compensating controls may serve to obscure the fact that they amount to little more than butt-covering. In the most dysfunctional organizations, you get senior (or sometimes mid-level) executives who 'shop a bad idea' until they find someone who is willing to tell them it is good."

I originally planned to include only small sections of Ranums talk, but felt i couldnt leave those snippets out.. I have sat in on more than my fair share of executive meetings, and his words ring true wether it relates to security decisions or even just strategic ones.. I love the Feynman report he quotes, and firmly believe that one of the biggest challenges we face is trying to break the insane "reality gap" that seems to prevail in boardrooms across the globe.

/mh

"Simply put, such disasters are purely the fault of poor management; managers who 'shop' bad ideas, or who create organizational cultures in which staff that point out problems are "whiners" or "nay-sayers." Unfortunately, in most businesses, senior level managers are recruited for being "can do" types who get the job done, which means that you're particularly in danger of having to deal with a senior executive that is comfortably living with a serious reality gap"