Tuesday, October 30, 2007

Surviva-what?

Now, this started it. This continued it. This clarified it. All was fun (and insightful, that is for sure!) Some might say even paradigm-shifting. But...

It had a horrible, confusing, abysmal name!

Generally, I hate the bandwagon-jumping. But, Chris, the reason that you "received about a dozen emails suggesting that Information Survivability just focuses on availability" is that the word "survivability" does bring that to mind. It really does! In fact, it is more about "scrambling, half-starved proto-mammals" (courtesy of Rich here) than about "process and risk management."

Now, the ideas are all gold! :-) I loved the, bookmarked them, del.icio.us'ed them, etc. Technical "anti-x-style" security does seem to miss a lot of what you are talking about in the piece. More risk thinking needs to be brought in (however hard it might be). Indeed, "7/10 information security programs are focused on compliance and managing threats and vulnerabilities - they don't holistically integrate and manage [business] risk. " (changing the latter is waaaaay easier said then done though) More fun work is ahead, that is for sure!

So, next time you come up with a name for a revolutionary concept, check out the Pirate's Ship Name generator. According to it, the pirates, ya know, would call a ship "The Rage of the Sargasso Sea" or "Satan's Horror" or something scary. They wouldn't call it "The Floating Mattress" or "Bathtub of Dirty Water" now, would they? :-)

4 comments:

Anonymous said...

I suppose that's why I'm not in marketing. ;)

You got the point which is really what matters. I like to encourage, um, discourse.

My job is 51% inspiration, 48.002% perspiration and 0.997% pure comedy gold. The remainder is allocated to actually making a statement.

You see, I set my expectations low and fail to meet them, but since I know this going in, I'm always a winner!

Just to let you know, the post you reference was far from the beginning...that was almost the end.

Clicky here and go down to the bottom...that's where the action's really hot.

http://rationalsecurity.typepad.com/blog/information_survivability/index.html

/Hoff

Anton Chuvakin said...

Well, I think how you name things matters. It is not so much about marketing, but about hindering the effort by confusing naming...

Proceeding to read what you suggested ...

Anonymous said...

...and sometimes it's done on purpose to heighten discussion. In this case, it was and it worked (to a point.)

Given the commotion it's caused, I'd say it hasn't hindered a thing -- at least not from what I wanted to do when I wrote the piece.

If I'd named it "Information Security 2.0" do you think people would have even bothered to read it? ;)

The fact is that the concepts behind Information Survivability are sound and anchor the points surrounding the deficiencies that information security (as it has devolved to) suffers from.

Look at the .PPT preso from 2001. It references cross-site scripting! The thinking was (and at this point unfortunately still is) ahead of its time.

We've definitely seen the same behavior manifest itself with what the Jericho Forum did with "de-perimeterization" and I suppose I could have taken a "warm and fuzzy poll" first to ask what people would like me to call it, but...

This is part of an on-going theme, Anton. You'll see it as you read through the progression of links.

My goal is to get at least one person to think differently. I'm well ahead of plan.

Thanks for your post.

/Hoff

Anton Chuvakin said...

In this case, you should take the discussion in this direction as well: why is there so darn little risk management in security? :-)

Dr Anton Chuvakin