There was recently a study that found when people knew that they were taking a placebo, it still helped. The common idea in the past was that you could utilize placebos for controlled studies only if the patient didn’t know. The mere act of going to the doctor, taking a pill, etc. meant that the mind was tricked! Being a security geek this struck a cord with me.
Listening to vendors and ISSO/ISSM about their secure implementations it occurred to me that the medical world was playing catchup to infosec:
People will generally feel safer if you go through the motions.
Bruce Schneier calls it security theater when the TSA or DHS institutes some silly new rule, but we as a community can learn from the scolding. How often do we toss a Unified Threat Management (UTM) in a network and claim success? Does it make you feel good to disable all USB thumb drives rather than putting together a cohesive file-based security posture? The real threat isn’t so much the USB drive as your lack TRIAD enforcement. C-onfidentiality means disallowing access to info that doesn’t belong to someone since you can’t unsee something. What your users can’t bring out on USB they can bring out with their eyeballs. These are just two examples, but there are many more.
Consider this my 2011 prediction that security will still suck. Consider this my 2011 Resolution too though, to stop using placebos in place of tried and true security. I hope you guys will do the same.