[ISN] Yoran and Spaf's Law

InfoSec News isn at c4i.org
Mon Nov 1 03:51:29 EST 2004


By Ben Rothke
October 25, 2004

In his book "Practical Unix and Internet Security," Professor Gene
Spafford of Purdue University spells out Spaf's first principle of
security administration: "If you have responsibility for security but
have no authority to set rules or punish violators, your own role in
the organization is to take the blame when something big goes wrong."

Spaf's principle is a cruel reality faced by many of those responsible
for information security. They often are treated like a cross between
Charlie Brown, who is constantly picked on, and the late Rodney
Dangerfield, who got no respect.

Amit Yoran is a prime example of Spaf's principle in action. On Oct.  
1, Yoran resigned in frustration after one year as director of the
National Cyber Security Division of the Department of Homeland
Security. Yoran lacked both an important title and appropriate
authority - which are everything in government.

Yoran said he resigned because he had done all he could with limited
resources. That much is true. In principle, he had done all he could.  
But, in fact, he was severely limited. His hands were tied.

Yoran's very visible resignation motivated the House of
Representatives to change the language in the intelligence reform bill
that would have moved responsibility for cyber-security from DHS to
the Office of Management and Budget. Such a boost would give the
director the necessary power to bring about change in the government.

Further, DHS Secretary Tom Ridge, spurred by Yoran's departure, said
the cyber-security position would be upgraded to assistant secretary.

I, for one, sincerely hope that the cyber-security position will be
upgraded to assistant secretary. But the reality of Washington
politics is likely to preclude that.

The Yoran incident isn't unique. Many organizations like to state
publicly that information security is priority No. 1, but, privately,
they will not put their money where their mouths are.

Upper management often issues orders such as "Clean up the system at
any cost!" Yet when these same managers get recommendations for
pre-emptive security implementation, too often chief information
security officers are told, "The budget for this quarter has been
exceeded. Ask me again later in the year."

Information security is a challenging and technologically rewarding
profession. Unfortunately, those responsible for carrying out
information security often are not given the authority and budget to
get the work done.

Yoran knows what this is like. Without the means to do the job,
winning the security war is a nearly impossible fight.


Ben Rothke, CISSP, is a New York-based security consultant with
ThruPoint Inc. McGraw-Hill has just published his book: "Computer
Security: 20 Things Every Employee Should Know." He can be reached at
brothke at thrupoint.net. Free Spectrum is a forum for the IT community
and welcomes contributions. Send submissions to
free_spectrum at ziffdavis.com.

More information about the ISN mailing list