Why Security Isn't Sisyphean - The Terrain Keeps Changing
Why Security Isn't Sisyphean - The Terrain Keeps Changing
I attended the ShmooCon security conference a couple of weekends ago in Washington, DC. In the aftermath, I find myself thinking about why I enjoy information security (and more generally, operational risk management) as a field.
After all, does this sound enticing:
Telling other people what not to do;
Constantly playing catch-up with adversaries;
Facing new problems as soon as the current ones get solved.
It sounds kind of Sisyphean, and there is some subjective sense of futility inherent in security and risk management, because you’ll never be perfect and solve it completely. That’s the nature of the problem: it’s not about patching one giant flaw at the heart of technology to arrive at a fully satisfying answer. Instead, it’s about identifying and addressing a very large number of small flaws that can combine in complex and unexpected ways. It’s about defense in depth and mitigation. It’s risk management, not risk eradication.
This can get frustrating, yet the infosec field doesn’t feel entirely Sisyphean. To the contrary, its mystique has spanned decades, spawning movies, books, websites, and endless conversations. Even its practitioners, fully aware of the non-glamorous parts (aka most of them), often find it remains interesting. So, what’s the secret sauce?
The Big Thrill
There are two major differences between Sisyphus’ toil and an information security defender’s.
Sisyphus’ curse was not just endless, but also meaningless and boring. Nothing ever changed for him. He rolled the boulder up the same hill, to the same futile end, with nothing ever truly achieved, over and over for eternity.
On a boring-to-varied scale, security is the opposite of Sisyphean. It is constantly changing: the threat landscape, the sophistication of threats, the sophistication of targets, the knowledge of adversary and defender. That makes it exciting, despite the bare fact that the war is never won. The moment a flaw is patched, or a new technique gets developed to prevent intrusions (maybe a new cryptographic algorithm like AES once was), attackers begin testing for cracks and crevices, trying new strategies, working around the defense if they can’t work through it.
For a person with the right mindset, this can be intriguing, even thrilling. It’s a puzzle that’s never the same twice. The apparent unsolvability, the lack of a perfect answer, can be part of the appeal.
The other important difference is that the state of information security is on an upward trajectory, at least for now. Our technology landscape is vastly more secure now than it was in the 1990s and early 2000s, despite escalating capabilities on both the attacker and defender sides. That means infosec is not a Sisyphean endeavor in the long view, even though it can feel that way on a day-to-day basis.
What’s This ‘At Least For Now’?
There are always questions. A couple of them are:
What will happen when quantum computing becomes commonplace and asymmetric key encryption no longer works as it did for decades (symmetric key encryption like AES will probably continue to work, at least for a while)?
Here the answer is probably that we will adjust, with fits and starts and disruptions during the transition to new ways of doing things. The US National Institute of Standards and Technology (NIST) is already working on post-quantum cryptographic standards.
What will happen when AI invents new cryptographic schemes that humans don’t fully understand, and we roll them out?
We don’t know. (Honestly, I’m more worried about this than about the quantum revolution.) But we’ll do our best to adjust, though likely with bigger fits and starts and disruptions and a higher probability of unexpected consequences.
Security is adaptable because humans are adaptable. Sisyphus’ torture was so terrible because he never got the chance to adjust and adapt. He just did the same unchanging thing, round the infinite clock forever, never getting anywhere. Security teams may feel like they’re constantly struggling to catch up, but they are also able to constantly evolve and adjust. The balance of power shifts over time, and the long-view overall trajectory has been, so far, toward greater security.
That’s what gives security legs and drives its appeal.
Comparing Sisyphus to Security -- FUN FUN FUN. Thanks for a window into what it is like to work in the field.