Wired has a good interview with Thomas Friedman, foreign affairs columnist for The New York Times and author of the new book The World Is Flat: A Brief History of the Twenty-First Century. It's not immediately visible the relation between foreign policy and information security but it should be.
Thomas's previous book (1999), The Lexus and the Olive Tree: Understanding Globalization showed the how indeed everything is interconnected. In this book he shows how the technology, financial markets, and world trade of all nations are connected and interrelated. So to are the security of businesses and corporations. You can no longer build "good enough" security; now you have to worry about what your neighbors are doing, because if their security is one step above yours we all know where the attackers will strike first.
Information security, like globalization, is one vast interrelated mesh of paths and connections. Much like neurons in the brain, the information we are sworn to protect is eternally connected -- and thus eternally at risk.
Nietzsche stated this principle of Eternal Recurrence:
While Dan Farmer was at Sun Microsystems he wrote a paper titled Improving the Security of Your Site by Breaking Into it. This received a mixed reception in the security community but today is a historical must read. It eventually (and unknowingly) gave birth to the debate over full disclosure of vulnerabilities and exploits. But the lesson here is not one of juvenile vandalism but never ending curiosity. Everyone should be a hacker. I was at Defcon VI many years ago with my girlfriend (oh yes, the envy of every attendee) and this guy asked us what we hacked. I said I was a generalist and my girlfriend said she didn't hack anything, that she was just there for fun. He insisted that everyone hacks something and it didn't have to be computers. This is a lesson to be learned by all people but especially the CEO. Staying ever vigilant and innovative is their eternal goal, but isn't that just corporate hacking? Dan Farmer said that in order to know your security, you have to start by tearing it down yourself. In the same way, CEOs today have to be hackers. They have to be able to sit in a board room and encourage their top people to throw out ideas and encourage others to tear them to shreds. Whatever is left of an idea is probably very good and innovative.
CSOs need to do the same thing with their security systems. They need to be innovative in the way that they simulate attacks against their own systems. Simply following best practices is not sufficient to protect against real world attacks because hackers don't follow the best practice guidelines. You don't hear many stories about guys saying, "Dude, you can't call up their employees and lie about working for their IT department just to get their uneducated employees to run some malicious code. That's not a best practice." Yet this is the reality of the world around us.
Earlier I spoke about the interconnectedness of everything and the security implications of that. What if everyone followed these best practice guidelines? What if, now here's the tricky part, what if everyone did the things you have been telling them to for years on improving the security of their systems? Would hackers shake their fists in anger and quit their trade to become productive members of society? NO! They would simply and quickly find another attack vector. In fact they are so good and doing this that they are usually one step ahead of the defenders. If all we ever do is follow best practice guidelines and everyone can attain the same level of best practice security then who gets hacked? It's the one who has only slightly worst security than the guy next to them. Who you might ask is that? Well, in the digital world everyone is the guy next to you because there are no boundaries. There are no walls that divide us (especially with the proliferation of wireless networks -- bringing into the physical world what the virtual world has long known.)