A boss once told me, “In a ham and egg breakfast, the chicken is involved, but the pig’s committed”.
With security, there are three separate groups which have fundamentally different views on how to provide security. Two are involved, one’s committed.
We can learn a lot by considering how each views security and how integrating all approaches as opposed to focusing on a single one provides better security.
First, there are the builders: the engineers, designers, coders, testers, and integrators. They approach security as something you build. They expect the attacker to know everything about the system minus some minimal authentication information. They fix code, secure configurations and repeatedly test to make sure everything is perfectly secured. They are involved.
They are the sensors and they see security as a sensor: to secure something, hide it. Intel documents all the places where people didn’t hide things and were consequently compromised.
Therefore counter-intel believes nothing can be perfectly secured, so instead it is best to do everything in your power to prevent the attacker from gaining information. The engineers abhor this approach as “security through obscurity”. Intel and counter-intel are involved.
They are committed. Operations receives the output of engineering, intel, and counter-intel and has to make it work. Security is not their job; it allows their job to happen.
As such, they are likely to ignore any security that impedes operations. They know their systems are imperfect. They know they can’t prevent information from getting out there.
Instead, they strive, not to be perfect in either the intel or engineering way, but simply to be better than the attacker. They solve problems procedurally and will substitute labor for technical solutions, (i.e. incident handling instead of an IPS).
Any sound security solution needs to have a little of each. Because operations is committed, all security needs to support them. However, not all problems are solvable procedurally or with human capital.
Engineering is required to provide operations the tools they need as well as to provide systems built to slow down the attacker as well as fail gracefully when compromised. Intel is needed to provide operations information to help them orient and act.
Counter-intel is needed to help operations slow the loss of information. Only when all areas are working in concert for the common operational goal, is security realized.