Not to salt the randomness of possible responses, but I personally would begin to answer by observing, "All these factors are mutually interdependent." And I would go on to illustrate how richly they're interdependent.
The insight you get, and the contribution you can make, with several decades of experience in the field, is how to manage this coupling. You look for synergies and nurture them. Likewise, you look for points of dysfunction and, necessarily, perform a certain amount of triage to distinguish which which battles you can successfully enter and which to avoid.
I say this because of the number of times I've made the wrong call, or been maneuvered in good faith into taking on a lost cause. In any environment as complex and volatile as ours, that's to be expected, but few people like to acknowledge the reality.
So my question to a potential employer is, do you get this? And what steps do you take to increase my chances of success?
I think you've got it, or at least a significant aspect of the issue.
I've watched for 30 years now as work conditions and culture in this field drift steadily out of balance compared to the expectations of life held by my friends and family. Now, I don't want to complain here, because it's evident that all professions are under increasing pressure to do more with less, but I think there is something pathological about how that expresses itself within the IT culture.
Though it wasn't always the case, women would now be correct in perceiving that a career in IT will be a socially stunted minefield of passive aggression, concerned not so much with cooperation, caring, and friendly competence as with an obsessive preoccupation with technology combined, as you've noted, with various and pointless kinds of power games.
We can all think of individual examples where values are out of balance, and I'm sure the same would be true of any field, but I'm speaking of something quite a bit more pervasive. When we embrace technology as a comprehensive end in itself, it makes us shallower and narrower in our outlook, and ultimately less humane. I see a lot of that in this field. Men, especially younger men, may not be terribly repelled by the idea of working under those conditions, but I think women are, and I think they're right to be.
And so, without an approximate balance between genders and their perspectives to temper the situation, it becomes gradually more extreme, and we become more alienated within it. The one happy thought I can offer is that this condition is not intrinsic to computer science but merely to the culture of information technology. Computer science, like other sciences, is concerned with enduring truth, something which I'm sure women care about as much as men do.
Agreed with the sibling post that Caroline Miller is simply wrong, but it's such a classic misinterpretation that deserves comment.
She refers to a "belief that the universe was created for our benefit." First, the Anthropic Principle is unrelated to belief. Second, it asserts nothing about purpose.
I understand the desire to contribute to an interesting and intellectually rigorous discussion, but injecting superfluous premises is not a useful way to do it.
Okay, setting that minor distraction aside, I'd like to comment on the legitimately contentious multiverse issue. May I ask if it's really such a big deal to reformulate the expression so that the number of universes is not unity but some other value? Why only consider edge cases? To presume that this value is nonzero simply accords with observed reality. Fine, but to presume that it's necessarily unity is, in my view, an unwarranted constraint on the general formulation.
Neither does it follow from evidence. That would be equivalent to inferring that because we've only seen evidence of life on this planet that there is no life elsewhere. Occam's razor must equally not constrain possibilities without reason.
See, I seem to vaguely recall a few hundred previous occasions in which Microsoft played this same game. It's amazing to me that anyone would still fall for it.
Re:Policies don't solve problems. people solve the
on
Remote Access Policies
·
· Score: 1
I think you're confusing policy with mechanism.
A security policy describes intent. It might say for example that certain staff are allowed to perform certain operations on certain information and facilities, that contractors are allowed another set of operations on more restricted information. And likely there will be a contractual agreement which refers to this policy and identifies the consequences of noncompliance. To answer your question, this says what management is going to do if someone breaks policy.
Then there's mechanism. This is the blueprint for all of the procedures and artifacts which directly or indirectly serve to implement said policy. Likely it's not a failing of policy but of mechanism if trade secrets are exposed on a public web server, for example, though on the other hand it's true that many sites have no formal security policy at all, and thus have no tenable position if an exploit should take place due to ineffective mechanism. The mechanism only exists to implement a given policy.
Now, if you look closely, you'll see that there is a missing piece in this whole equation. We have security policy and mechanism. We have a contract which binds individuals to abide by the policy. Ordinarily such a contract contains reciprocal clauses which identify the rights and responsibilities of both parties. But how many of these contracts, do you suppose, spell out what the employer will do to protect the employee from accidental access to inappropriate materials? In all of the complexity around information security, this piece is often overlooked, and though it may be an innocent oversight, it leaves the employee in a very vulnerable position.
I was once in a situation where an employer required me to take a corporate laptop home with me every night. The nature of my work meant that said laptop was full of proprietary software and data. The employer provided no disk encryption, no locking or tamperproofing mechanisms, nothing. I think that a lot of employees would just go along with the situation and take their chances. I don't recommend this. At the very least, get legal advice in reviewing your employment contract.
Interesting. About 25 years ago I wrote something similar.
Although I got the concept of modularity insofar as providing a set of functions for primitive screen and keyboard operations which the rest of the application could use to build higher-order behaviors, I didn't expose these functions in an extensible way, nor did I provide a means of binding keys to them.
That's because I'd never heard of emacs. So, while my little display editor was a lot more efficient to use than the primitive line editor available to me at the time, I look back on its lack of configurability and extensibility with some embarrassment.
Do we really need people who know how things work 'under the hood' to make smart tech decisions?
Yes, I think we absolutely do. I've seen the pattern again and again where people who are not technologically informed do not approach technology issues with respect for its hard constraints. Instead they try to apply their negotiating skills to the challenges of technology, as if physical properties could be persuaded to operate differently.
For the same reason, such people end up mistrusting their technically knowledgeable counterparts because these individuals in turn are not in a position to accommodate requests to change physical reality. It's not enough to be advised by others if you can't judge the difference between opinion and reality.
Visualization is a natural companion to security metrics. But I'd stress that unless you have sensitive metrics in the first place, visualization is not going to help.
For an excellent, intellectually rigorous treatment see Andrew Jaquith, "Security Metrics", ISBN 0321349989
So many offensive television sets in inappropriate places...so little time.
I totally agree. Occasionally I travel to the United States for business, where it seems I cannot get away from television sets intruding on my attention wherever I go. Airports, lobbies, even conference rooms, it's like nowhere else on the planet.
The worst, for me personally, is going down to the hotel restaurant for a nice quiet breakfast to center my thoughts before a busy day. Instead my experience is going to be invaded by televisions prominently blaring the "news" which I find to be narcissistic, alarmist, and largely irrelevant.
What a relief it is to be able to get away from that. Other cultures have their own weirdnesses, so it's not that I want to single out the States for criticism. It's just that my work brings me into contact with this particular one most often.
I've heard the argument that the issue has to be addressed not principally at the session and presentation layers but in device authentication at Layer 2.
Physical identity is not the only thing to establish, and you're right that end-to-end security has to be implemented at higher layers. But really hardened communications also doesn't have the luxury of treating the lower layers as transparent.
This is a brilliant example of "defense in depth". You've taken the opportunity to understand the structure of the data and adapted the structure of your environment appropriately. Equally important, the solution, far from being exotic, is a prescription for how to treat aggregate patient data in general.
See how different this is from approaches such as indiscriminate encryption or application firewalling. In their place, these approaches may offer security value as well, but more along the lines of adding a layer of defense against the unforeseen. Their main advantage is simplicity, an important consideration when implementing a security policy such as "default deny" across the organization. But the data can't stay encrypted forever, and likely it has to pass between applications. Your approach addresses this case in a way that indiscriminate encryption cannot.
"I often ask, 'Everyone in the audience who thinks they're going to be
using the same word processor in ten years, raise your hand.'
No hands go up. 'Everyone who has data around that's going to have
value in ten years?' After a minute's thought, every hand goes up.
The lesson is clear: information outlives technology."
- Tim Bray
I have the good fortune of knowing a couple of his colleagues on the BC Supreme Court.
You know what? They're decent, conscientious, intelligent people whose capacity for formal reasoning is more than sufficient for understanding the technical concepts pertaining to this case, especially as they're commonplace in any office environment.
Now, something like email header forging, say, that requires an understanding of design and implementation details behind the scenes, would require special consideration, but until we have a specific decision in front of us which we dispute for technical reasons, there isn't much to complain about.
No proof links were clicked: note the gentle way in which the Court advanced several points concerning a previous case where the same plaintiff had likewise failed to offer evidence, and in consequence had that claim denied. The decision, the second time around, has all the more force as a result.
Read the SLA. Note the utter absence of any reference to data privacy or integrity. The committed uptime is slightly worse than what I've logged on my office system over the past ten years, taking into account kernel panics, hardware failures, and scheduled upgrades. Hardly a high availability solution, in other words.
Fair enough analogy. What you're proposing is more or less what Grid computing intends to offer. There are claims that cloud computing is a superset but without a specific implementation we have to guess what distinguishes those claims from pure hype. But let's be charitable. Taking Grid as a lower bound, there are two things which differ from a torrent download:
Somebody still has to write the distributed algorithm for whatever it is that you'd like to do. And if your computation doesn't benefit from parallelism, what advantage remains to farming it out?
There is no way to guarantee data privacy and integrity when the data is to be subject to some kind of distributed computation. If the cloud is to do anything other than store and retrieve your data, it has to be able to work on the plaintext. And somebody other than you owns those cloud resources. In fact, what's to prevent them from offloading your data to another party?
Read the SLA if you can get hold of one. So far, all I've seen is an uptime guarantee that is no better than my home system. There is nothing in any SLA I've seen that even mentions privacy or integrity. Caveat emptor.
I think it's very instructive to look at parts of the world where people don't have a lot of wealth, where hard times are the norm.
When life is not primarily about making money, because there is little money to be made, what happens instead is that people direct their efforts toward other purposes that add value to their lives. Have you ever wondered why there are more community festivals and a more ubiquitous gift economy in poor nations than in rich ones? How can they afford it? Well, those cultures place a value on time and effort, which every person has in equal measure. People are able to participate in their community on this basis. So, despite the many disadvantages of poverty, social activities flourish, particularly those requiring time and effort. That sounds a lot like open source development to me.
Our present culture is about money. That's why an economic downturn causes enormous social disruption, because it impacts our ability to participate. Because we have all this wealth to maintain, and all these complex commitments which depend on cash flowing at a certain rate, we can't just laugh it off. It's difficult to adapt to changing conditions, but especially so when we are encumbered with wealth. For example, I have a much more jealous attitude toward my apartment as a mortgage holder than I did back when I was a renter.
So, to the question of when people will stop caring about "intangible" goods produces a different answer in different circumstances. Sure, in the extreme case of real famine, we lose the means to participate in any constructive sense, and this applies to any culture. But it's doubtful that's the case we're looking at now.
I'd argue that the conditions which encourage community participation - open source development, for example - come into play more strongly in poor times than in rich times. This is the exact converse of what the article claims, because it assumes that we all have nothing better to do than fight over whatever trickle of wealth continues to flow out of the old tap. I think people may just as likely turn away from the tap and put their efforts elsewhere.
Absolutely. And insurance is the classic mechanism for transferring risk. Schneier develops this idea extensively in "Secrets and Lies."
An insurance policy coverts a set of risks into a fixed expense for a period of time. It can do so even when those risks are due to events outside your control. You cite some great examples.
But insurers may charge a higher fee for unmitigated risk, or they may not agree to underwrite the risk at all if mitigations are not performed. For example, here in my apartment building we have to perform annual fire inspections or we don't get to renew our insurance.
Schneier predicts that this kind of pressure is what will ultimately create change in the information security space.
So what are those specific mitigations? Well, they are the ones which actually decrease risk. The insurance industry has no interest in security theatre, it wants the real thing, because its profitability is directly linked to getting security right.
In practice, you, as the insured party, will have to demonstrate that you have applied appropriate mitigations. The wrinkle here is that, where effective security is concerned, what is appropriate for you is not necessarily appropriate for someone else. This is what Schneier means about not being able to buy security.
The statement is not such an exercise in hyperbole as you might think. It's very hard to fix bad security if it's part of your core processes. Yes, you can pay for security consulting services, and I think you're absolutely right, those services will rarely be effective without accompanying education. Otherwise, people fall back to their old ways.
But I'd argue that education itself is not enough either. It's equally important, and difficult, to design human and machine processes to be secure by default, and to have well defined roles, effective identity, effective containment, and so on for progressively relaxing that default. To apply the obligatory car analogy, we have to educate people to drive on the righthand side of the road, but we should not also put the ejector seat button next to the stereo. If there is no button, the question of when to push it never comes up.
But organizational processes vary greatly from one organization to the next. Maybe your organization is more analogous to a fighter aircraft than a car. Maybe it needs that ejector seat. You've got to be at least willing make that determination. Get help, but take on that responsibility. That's what Schneier means, I think, by "getting" security.
I agree, the real educational effort should go toward reducing the number of stupid ideas that get proposed in the first place. In other words, it has to be pervasive, and in hierarchical organizations, that means it has to travel from the top down. I predict that will start to happen the instant there's a fiscal impact, for example, higher insurance premiums. But for now, as long as the senior people are not educated about security, there will continue to be a lot of downloading and blaming, and not a lot of effective transformation.
In this discussion, "Liberal" and "Conservative" are not political positions but the names of specific Canadian parties which, it turns out, have quite involved histories. As in most parliamentary systems. their political positions are more nuanced than you may appreciate if you don't follow the parties closely. I have a similar problem when trying to follow politics in the UK or Australia.
The weird stuff that happens in American politics is something else entirely. Its history both as a republic and of slavery creates some unique attitudes toward freedom that you just don't find anywhere else in the world. Add to that the deepest sorts of influence of corporations on public policy, plus the rise of religious fundamentalism and corresponding hostility toward reasoned discourse, plus a culture of excess, and you have all the necessary ingredients for rampant mismanagement.
It's not that I think there is something wrong with the American people. They're good people, as decent as any you'll find anywhere. Yet I don't think it's conceivable that another country would find itself going down the same path.
It would be reasonable to assume that Canada is different from the US in significant ways. Lots that's wrong here, no doubt, but not for the same reasons.
Slashdot Mirror
Unfortunately, the nonappearance of something during a particular observation doesn't rule out its existence elsewhere.
Good one.
Not to salt the randomness of possible responses, but I personally would begin to answer by observing, "All these factors are mutually interdependent." And I would go on to illustrate how richly they're interdependent.
The insight you get, and the contribution you can make, with several decades of experience in the field, is how to manage this coupling. You look for synergies and nurture them. Likewise, you look for points of dysfunction and, necessarily, perform a certain amount of triage to distinguish which which battles you can successfully enter and which to avoid.
I say this because of the number of times I've made the wrong call, or been maneuvered in good faith into taking on a lost cause. In any environment as complex and volatile as ours, that's to be expected, but few people like to acknowledge the reality.
So my question to a potential employer is, do you get this? And what steps do you take to increase my chances of success?
I think you've got it, or at least a significant aspect of the issue.
I've watched for 30 years now as work conditions and culture in this field drift steadily out of balance compared to the expectations of life held by my friends and family. Now, I don't want to complain here, because it's evident that all professions are under increasing pressure to do more with less, but I think there is something pathological about how that expresses itself within the IT culture.
Though it wasn't always the case, women would now be correct in perceiving that a career in IT will be a socially stunted minefield of passive aggression, concerned not so much with cooperation, caring, and friendly competence as with an obsessive preoccupation with technology combined, as you've noted, with various and pointless kinds of power games.
We can all think of individual examples where values are out of balance, and I'm sure the same would be true of any field, but I'm speaking of something quite a bit more pervasive. When we embrace technology as a comprehensive end in itself, it makes us shallower and narrower in our outlook, and ultimately less humane. I see a lot of that in this field. Men, especially younger men, may not be terribly repelled by the idea of working under those conditions, but I think women are, and I think they're right to be.
And so, without an approximate balance between genders and their perspectives to temper the situation, it becomes gradually more extreme, and we become more alienated within it. The one happy thought I can offer is that this condition is not intrinsic to computer science but merely to the culture of information technology. Computer science, like other sciences, is concerned with enduring truth, something which I'm sure women care about as much as men do.
Agreed with the sibling post that Caroline Miller is simply wrong, but it's such a classic misinterpretation that deserves comment.
She refers to a "belief that the universe was created for our benefit." First, the Anthropic Principle is unrelated to belief. Second, it asserts nothing about purpose. I understand the desire to contribute to an interesting and intellectually rigorous discussion, but injecting superfluous premises is not a useful way to do it.
Okay, setting that minor distraction aside, I'd like to comment on the legitimately contentious multiverse issue. May I ask if it's really such a big deal to reformulate the expression so that the number of universes is not unity but some other value? Why only consider edge cases? To presume that this value is nonzero simply accords with observed reality. Fine, but to presume that it's necessarily unity is, in my view, an unwarranted constraint on the general formulation.
Neither does it follow from evidence. That would be equivalent to inferring that because we've only seen evidence of life on this planet that there is no life elsewhere. Occam's razor must equally not constrain possibilities without reason.
Dark, dark, dark. I look down those rows of cabinets and all I can think is how much I would hate to pull cables or install gear in them.
Pardon me for injecting a note of caution.
See, I seem to vaguely recall a few hundred previous occasions in which Microsoft played this same game. It's amazing to me that anyone would still fall for it.
I think you're confusing policy with mechanism.
A security policy describes intent. It might say for example that certain staff are allowed to perform certain operations on certain information and facilities, that contractors are allowed another set of operations on more restricted information. And likely there will be a contractual agreement which refers to this policy and identifies the consequences of noncompliance. To answer your question, this says what management is going to do if someone breaks policy.
Then there's mechanism. This is the blueprint for all of the procedures and artifacts which directly or indirectly serve to implement said policy. Likely it's not a failing of policy but of mechanism if trade secrets are exposed on a public web server, for example, though on the other hand it's true that many sites have no formal security policy at all, and thus have no tenable position if an exploit should take place due to ineffective mechanism. The mechanism only exists to implement a given policy.
Now, if you look closely, you'll see that there is a missing piece in this whole equation. We have security policy and mechanism. We have a contract which binds individuals to abide by the policy. Ordinarily such a contract contains reciprocal clauses which identify the rights and responsibilities of both parties. But how many of these contracts, do you suppose, spell out what the employer will do to protect the employee from accidental access to inappropriate materials? In all of the complexity around information security, this piece is often overlooked, and though it may be an innocent oversight, it leaves the employee in a very vulnerable position.
I was once in a situation where an employer required me to take a corporate laptop home with me every night. The nature of my work meant that said laptop was full of proprietary software and data. The employer provided no disk encryption, no locking or tamperproofing mechanisms, nothing. I think that a lot of employees would just go along with the situation and take their chances. I don't recommend this. At the very least, get legal advice in reviewing your employment contract.
Interesting. About 25 years ago I wrote something similar.
Although I got the concept of modularity insofar as providing a set of functions for primitive screen and keyboard operations which the rest of the application could use to build higher-order behaviors, I didn't expose these functions in an extensible way, nor did I provide a means of binding keys to them.
That's because I'd never heard of emacs. So, while my little display editor was a lot more efficient to use than the primitive line editor available to me at the time, I look back on its lack of configurability and extensibility with some embarrassment.
Do we really need people who know how things work 'under the hood' to make smart tech decisions?
Yes, I think we absolutely do. I've seen the pattern again and again where people who are not technologically informed do not approach technology issues with respect for its hard constraints. Instead they try to apply their negotiating skills to the challenges of technology, as if physical properties could be persuaded to operate differently.
For the same reason, such people end up mistrusting their technically knowledgeable counterparts because these individuals in turn are not in a position to accommodate requests to change physical reality. It's not enough to be advised by others if you can't judge the difference between opinion and reality.
diff -y Compares files side by side.
Visualization is a natural companion to security metrics. But I'd stress that unless you have sensitive metrics in the first place, visualization is not going to help.
For an excellent, intellectually rigorous treatment see Andrew Jaquith, "Security Metrics", ISBN 0321349989
So many offensive television sets in inappropriate places...so little time.
I totally agree. Occasionally I travel to the United States for business, where it seems I cannot get away from television sets intruding on my attention wherever I go. Airports, lobbies, even conference rooms, it's like nowhere else on the planet.
The worst, for me personally, is going down to the hotel restaurant for a nice quiet breakfast to center my thoughts before a busy day. Instead my experience is going to be invaded by televisions prominently blaring the "news" which I find to be narcissistic, alarmist, and largely irrelevant.
What a relief it is to be able to get away from that. Other cultures have their own weirdnesses, so it's not that I want to single out the States for criticism. It's just that my work brings me into contact with this particular one most often.
Don't forget strong identity at the data link layer.
What makes you assume that they need to use the same systems to perform secure operations and as points of attack over the public internet?
I've heard the argument that the issue has to be addressed not principally at the session and presentation layers but in device authentication at Layer 2.
Physical identity is not the only thing to establish, and you're right that end-to-end security has to be implemented at higher layers. But really hardened communications also doesn't have the luxury of treating the lower layers as transparent.
This is a brilliant example of "defense in depth". You've taken the opportunity to understand the structure of the data and adapted the structure of your environment appropriately. Equally important, the solution, far from being exotic, is a prescription for how to treat aggregate patient data in general.
See how different this is from approaches such as indiscriminate encryption or application firewalling. In their place, these approaches may offer security value as well, but more along the lines of adding a layer of defense against the unforeseen. Their main advantage is simplicity, an important consideration when implementing a security policy such as "default deny" across the organization. But the data can't stay encrypted forever, and likely it has to pass between applications. Your approach addresses this case in a way that indiscriminate encryption cannot.
"I often ask, 'Everyone in the audience who thinks they're going to be using the same word processor in ten years, raise your hand.' No hands go up. 'Everyone who has data around that's going to have value in ten years?' After a minute's thought, every hand goes up. The lesson is clear: information outlives technology."
- Tim Bray
Mod parent as "funny", not "informative"! Put data into the cloud, it's not even yours to manage any more. How is that any more future-proof?
I have the good fortune of knowing a couple of his colleagues on the BC Supreme Court.
You know what? They're decent, conscientious, intelligent people whose capacity for formal reasoning is more than sufficient for understanding the technical concepts pertaining to this case, especially as they're commonplace in any office environment.
Now, something like email header forging, say, that requires an understanding of design and implementation details behind the scenes, would require special consideration, but until we have a specific decision in front of us which we dispute for technical reasons, there isn't much to complain about.
No proof links were clicked: note the gentle way in which the Court advanced several points concerning a previous case where the same plaintiff had likewise failed to offer evidence, and in consequence had that claim denied. The decision, the second time around, has all the more force as a result.
Read the SLA. Note the utter absence of any reference to data privacy or integrity. The committed uptime is slightly worse than what I've logged on my office system over the past ten years, taking into account kernel panics, hardware failures, and scheduled upgrades. Hardly a high availability solution, in other words.
Read the SLA if you can get hold of one. So far, all I've seen is an uptime guarantee that is no better than my home system. There is nothing in any SLA I've seen that even mentions privacy or integrity. Caveat emptor.
I think it's very instructive to look at parts of the world where people don't have a lot of wealth, where hard times are the norm.
When life is not primarily about making money, because there is little money to be made, what happens instead is that people direct their efforts toward other purposes that add value to their lives. Have you ever wondered why there are more community festivals and a more ubiquitous gift economy in poor nations than in rich ones? How can they afford it? Well, those cultures place a value on time and effort, which every person has in equal measure. People are able to participate in their community on this basis. So, despite the many disadvantages of poverty, social activities flourish, particularly those requiring time and effort. That sounds a lot like open source development to me.
Our present culture is about money. That's why an economic downturn causes enormous social disruption, because it impacts our ability to participate. Because we have all this wealth to maintain, and all these complex commitments which depend on cash flowing at a certain rate, we can't just laugh it off. It's difficult to adapt to changing conditions, but especially so when we are encumbered with wealth. For example, I have a much more jealous attitude toward my apartment as a mortgage holder than I did back when I was a renter.
So, to the question of when people will stop caring about "intangible" goods produces a different answer in different circumstances. Sure, in the extreme case of real famine, we lose the means to participate in any constructive sense, and this applies to any culture. But it's doubtful that's the case we're looking at now.
I'd argue that the conditions which encourage community participation - open source development, for example - come into play more strongly in poor times than in rich times. This is the exact converse of what the article claims, because it assumes that we all have nothing better to do than fight over whatever trickle of wealth continues to flow out of the old tap. I think people may just as likely turn away from the tap and put their efforts elsewhere.
It's called transferring risk.
Absolutely. And insurance is the classic mechanism for transferring risk. Schneier develops this idea extensively in "Secrets and Lies."
An insurance policy coverts a set of risks into a fixed expense for a period of time. It can do so even when those risks are due to events outside your control. You cite some great examples.
But insurers may charge a higher fee for unmitigated risk, or they may not agree to underwrite the risk at all if mitigations are not performed. For example, here in my apartment building we have to perform annual fire inspections or we don't get to renew our insurance. Schneier predicts that this kind of pressure is what will ultimately create change in the information security space.
So what are those specific mitigations? Well, they are the ones which actually decrease risk. The insurance industry has no interest in security theatre, it wants the real thing, because its profitability is directly linked to getting security right.
In practice, you, as the insured party, will have to demonstrate that you have applied appropriate mitigations. The wrinkle here is that, where effective security is concerned, what is appropriate for you is not necessarily appropriate for someone else. This is what Schneier means about not being able to buy security.
The statement is not such an exercise in hyperbole as you might think. It's very hard to fix bad security if it's part of your core processes. Yes, you can pay for security consulting services, and I think you're absolutely right, those services will rarely be effective without accompanying education. Otherwise, people fall back to their old ways.
But I'd argue that education itself is not enough either. It's equally important, and difficult, to design human and machine processes to be secure by default, and to have well defined roles, effective identity, effective containment, and so on for progressively relaxing that default. To apply the obligatory car analogy, we have to educate people to drive on the righthand side of the road, but we should not also put the ejector seat button next to the stereo. If there is no button, the question of when to push it never comes up.
But organizational processes vary greatly from one organization to the next. Maybe your organization is more analogous to a fighter aircraft than a car. Maybe it needs that ejector seat. You've got to be at least willing make that determination. Get help, but take on that responsibility. That's what Schneier means, I think, by "getting" security.
I agree, the real educational effort should go toward reducing the number of stupid ideas that get proposed in the first place. In other words, it has to be pervasive, and in hierarchical organizations, that means it has to travel from the top down. I predict that will start to happen the instant there's a fiscal impact, for example, higher insurance premiums. But for now, as long as the senior people are not educated about security, there will continue to be a lot of downloading and blaming, and not a lot of effective transformation.
In this discussion, "Liberal" and "Conservative" are not political positions but the names of specific Canadian parties which, it turns out, have quite involved histories. As in most parliamentary systems. their political positions are more nuanced than you may appreciate if you don't follow the parties closely. I have a similar problem when trying to follow politics in the UK or Australia.
The weird stuff that happens in American politics is something else entirely. Its history both as a republic and of slavery creates some unique attitudes toward freedom that you just don't find anywhere else in the world. Add to that the deepest sorts of influence of corporations on public policy, plus the rise of religious fundamentalism and corresponding hostility toward reasoned discourse, plus a culture of excess, and you have all the necessary ingredients for rampant mismanagement.
It's not that I think there is something wrong with the American people. They're good people, as decent as any you'll find anywhere. Yet I don't think it's conceivable that another country would find itself going down the same path.
It would be reasonable to assume that Canada is different from the US in significant ways. Lots that's wrong here, no doubt, but not for the same reasons.