Walking Past

I just attended an information security conference. Sitting in a sea of information security experts, I drifted into a mental skirmish with myself, reconciling the content of the presentations, the mood of my fellow security stewards, and the state of the breach curve. Playing in the background of my thoughts was the phrase “the standard you walk past, is the standard you accept”.


“The standard you walk past, is the standard you accept.”


It occurred to me that the security industry will not change the tide of the battle until there is a shift in who “owns” the problem. We are an industry that has the best and brightest, the full attention of our benefactors, and control of the home court, and yet we continue to lose against foes that are – by and large – just lucky. I have oftentimes asked myself if this is an economic resultant, where the most profitable outcome determines the industrial response.

Is Target actually “worth” more to the security industry pre, or post, breach? I don’t believe there is an overarching conspiracy here; Target owns their breach. But, with that said, what does the information security industry own? The three sins of Target: Communication, Compartmentalization, and Reaction, all seem to be ideal for technological/operational solutions.

In the case of Target, see Merry’s 1st law of software switches:
“Any switch retains its initial configuration until acted upon by a review or oversight”.

My belief is that a salient problem in security today is the bounds that we set for our software solutions. No solution should call itself complete until it possesses external checks and balances that promote escalation and cross-organizational oversight. As well, no information security company should leave the implementation phase with their customer until a maturity level is demonstrated and agreed upon as beneficial to the security of the host. Security software does not work until it is proven to make the host more secure. To say “our software operated as designed,” with regards to a breached company, is just walking past.

– Gary Merry, CEO