Posted Jun 19, 08:23 AM by ben
There are a lot of go-to sayings that are generic enough that folks will use as an ice-breaker. A way of getting you to nod your head as they build their premise. “security is a process” is one of those.
Who started that? The presumption with that is to point out that security is not a product. “You are not your firewall”. I get that, but I do not like the expression anymore than any other watered-down talking point that politicians use on an election year.
I had at least one guy who privately objected to my 140 character assessment of this. I got the sense that such an expression is a truth; and to rail against such a truth implies that you should at least have a replacement. “If it’s not a process then what is it?!?”. It’s rhetoric that helps you setup discussion. But hey, i’m game. Some replacements (off the top of my head):
// :: rant/ brainstorming
Commenting is closed for this article.
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.
You can subscribe to my blog via rss 
, or if you're looking for older items check out my archive of previous posts.
I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.
RSS
Schneier: Security is a trade-off.
MJR: Security is a façade hiding poor engineering.
New School: Security should be a science, but isn’t.
Hackers: Security is cryptography, only fun.
Geer: Security is econometrics.
I think it’s just a really hard distraction that in itself is only as interesting as the assets being protected from technologically augmented jerks.
— Grant · Jun 19, 11:37 AM · #