I ran out of basil, can you get me some?

Sorry for not posting anything lately, I have been enjoying time with family.

A week ago I was making some food which I put some basil in. The basil run out and I tagged it as something to buy from the grocery store. I probably have had too much idle cycles in my brain, because I began thinking about the following.

What if you have never seen, touched and tasted basil before, how would you know it is really basil? How have you ended up trusting it really is that? You probably have seen pictures of fresh basil, you have been told by many it is basil and you have read from literature it is basil. It is also commonly recognized as basil by the population.

Consider this. You just have learnt to read and have never seen, touched or tasted basil. You're told to go buy basil. Someone could sell you oregano in a jar which simply states basil and you wouldn't know. Eventually you would learn more and be able to distinguish between oregano and basil, even thought they look quite the same when dried and chopped into tiny pieces. You would be able to go to trusted shops to buy it. In the above example you are probably told that you got the wrong herb, unless the requestor doesn't know better.

So, how does this relate to security?

What I was thinking of is that the management which has to make security and other decisions is like someone who just have learnt to read. The subordinates are like those who could sell oregano as basil. Might sound harsh but that is my perception.

Even if you're equipped with the necessary skills to be able to understand the very details of network infrastructure, hosts, firewalls, applications, patching, vulnerabilities and so on, you still have to rely on others to produce most of the information for you which you base your decisions on.

What I mean is that you don't have a large population inside the company who agree on the current state of these things like you would with my example of basil, mainly because of resource allocations, different skillsets and interests. Instead you have smaller organizations who are supposed tell you what they see. You are dependent on the skill and ethics of your employees, which on the other hand are affected by thight schedules, money and motivation.

Of course the size of the company and the complexity of the internal organizations affects all this. The larger the company is, the more there are points where things could fail in a way or another. On the other hand, you have more eyes than in a smaller company, which would have fewer but possibly incompetent employees.

Lets imagine there are four steps to the deciding manager: a group of specialists, the group manager, the city-level manager, the deciding country-level manager. In this the city-level manager deals with many group managers and the country-level manager deals with the city-level managers.

On each step from the specialist all the way up there is a possibility that somewhere in the chain oregano is sold as basil, either knowingly or unknowingly. The larger the possibility the less peers pay attention to the details (peer review).

Being able to measure things (security metrics) help to some extent but is still prone to misleading results. For example vulnerability scan data gives you the remote and in some configurations internal posture of a host, but what if the scanner itself has limited view because of firewall rules implemented on the host or network? Things would look good on the automated report but the real state of the host would be totally different.

Surely having auditing enabled and a review board examining each firewall rule change would tackle at least firewall device modifications but you hopefully get my point with the example. Such modification could be the result of an earlier report and you get a "yes, we will fix it" response, a lazy and irresponsible "fix" by blocking the affected ports from the scanner and only patching the necessary services. Motives behind such could be thight schedules and a "we will fix it later" mentality, not understanding the risk caused to the company by leaving the host vulnerable.

That would be you getting oregano instead of basil.

With proper controls, automated reports from different areas, auditing and reviewing things it could be possible to correlate results and mitigate these occurrences of happening to some extent. But without having someone watch over the shoulder all the time you would never be sure, and still there is room for things to go wrong.

Sounds like it is not easy to be a manager who has to make important decisions driving the security (or any) posture of a company forward. But take into account that this is also vice versa, the people below the deciding manager has to trust fair and correct decision making happens, all the way down to the specialist level. Specialists and upper management could be fed oregano by their middle manager who alters information to suit his own personal goals better, e.g. by painting a rosier picture upwards which causes the upper management to make wrong decisions that affect the specialists and the whole company. Depressing, huh? But we are humans, after all...