Trust what you know.

Hi folks,

For all the issues Greece has today, the Greeks may deserve a little bit of a pass. They may not be able to handle their finances, but Western civilization has a debt of their own to them. Pythagoras, Democritus, Socrates and his crew… over the course of a few centuries, Greece churned out a whole bunch of big brains that changed the world.

ancient-greece_o_1329581

One of those big brains was Zeno of Elea. Zeno is probably best known for two things: being a badass and frustrating mathematicians for nearly two millennia. He’s a badass because, while near death after being tortured to reveal the names of his co-conspirators in a plot to overthrow a tyrant, he pretended to have a secret for said tyrant, only to bite his ear off with his dying breath. He frustrated mathematicians with his paradoxes, the most famous of which are his arguments against motion, including the paradox of Achilles and the tortoise.

The gist of the paradox is that any object in motion, no matter how fast, cannot catch up to another slower object that got a head start. This being ancient Greece, the fastest guy they knew was Achilles, who is now perhaps best known for being the role played by Brad Pitt when he redefined 40 year old male body image standards. The jerk.

xzYln8U

How does the paradox work? Basically, a tortoise gets a head start – maybe 100 meters. Then Achilles starts, but by the time he reaches the 100 meter mark, the tortoise has moved on, perhaps another 10 meters. Achilles then covers that ten meters, but the tortoise has moved on again, another meter. And so on. Achilles can never catch up, even if he gets really, really close. It took 2000 years for math to disprove Zeno’s paradox with convergent series thanks to Scottish mathematician James Gregory.

db352086bcec88c5986f67ae6e4a3c26bc31ed76a653aeb78cfaca2518c06783

But we all know better even without the mathematical equation, right? And so did the ancient world. We all instinctively know that Achilles is faster than a tortoise, and that he could easily pass it despite a delayed start. It’s just obvious, even if we don’t have the definitive proof.

What would have happened if the world had waited for a mathematician to prove what we already knew? Would we have thrown up our hands and accepted defeat at the hands of a tortoise because nobody could disprove Zeno’s paradox? And what about all the other things we knew, but couldn’t prove – had we waited for definitive proof before simply accepting that something is even if we can’t express why, what advances and discoveries would we have missed?

In the Federal information security world, many have fallen into this trap.

Ackbar

Audits and regulations have become such a huge part of our world, that many people refuse to consider actions that aren’t prescribed by an outside, authoritative source. As if the absence of a reference by NIST or OMB somehow invalidates the value of an idea.

This lack of initiative and creativity isn’t caused by NIST or OMB – it’s our fault. We’ve become so conditioned to prioritize a lack of findings that we’re living the infosec equivalent of teaching to the test – focusing exclusively on known evaluation criteria. The problem is that our adversaries don’t play by the same rules – they don’t look only for unimplemented NIST 800-53 controls to exploit, they’ll exploit anything they can find. For as great a document as 800-53 is, we can’t afford to be limited by it. It and all the other guidance out there are not the definitive documents for information security.

Here’s the good news.  If this is fundamentally our fault, we can fix it.  We need to be comfortable doing things that aren’t prescribed by an external authority. We’re all hired as experts – let’s put our expertise to work. We need to use our creativity, our sound judgment, and our instincts as valid inputs into the information security process. Otherwise we risk missing out on progress while we wait for somebody else to prove what should have been obvious to us all along.

Rex