Yoran and Spafs Law

Winning the security war requires the means to do the job.

In his book "Practical Unix and Internet Security," Professor Gene Spafford of Purdue University spells out Spafs first principle of security administration: "If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."

Spafs principle is a cruel reality faced by many of those responsible for information security. They often are treated like a cross between Charlie Brown, who is constantly picked on, and the late Rodney Dangerfield, who got no respect.

Amit Yoran is a prime example of Spafs principle in action. On Oct. 1, Yoran resigned in frustration after one year as director of the National Cyber Security Division of the Department of Homeland Security. Yoran lacked both an important title and appropriate authority—which are everything in government.

Yoran said he resigned because he had done all he could with limited resources. That much is true. In principle, he had done all he could. But, in fact, he was severely limited. His hands were tied.

Yorans very visible resignation motivated the House of Representatives to change the language in the intelligence reform bill that would have moved responsibility for cyber-security from DHS to the Office of Management and Budget. Such a boost would give the director the necessary power to bring about change in the government.

Further, DHS Secretary Tom Ridge, spurred by Yorans departure, said the cyber-security position would be upgraded to assistant secretary.

I, for one, sincerely hope that the cyber-security position will be upgraded to assistant secretary. But the reality of Washington politics is likely to preclude that.

Scot Petersen says that when it comes to cyber-security, the Bush administration doesnt get it yet. Click here to read his column. The Yoran incident isnt unique. Many organizations like to state publicly that information security is priority No. 1, but, privately, they will not put their money where their mouths are.

Upper management often issues orders such as "Clean up the system at any cost!" Yet when these same managers get recommendations for pre-emptive security implementation, too often chief information security officers are told, "The budget for this quarter has been exceeded. Ask me again later in the year."

Information security is a challenging and technologically rewarding profession. Unfortunately, those responsible for carrying out information security often are not given the authority and budget to get the work done.

Yoran knows what this is like. Without the means to do the job, winning the security war is a nearly impossible fight.

Ben Rothke, CISSP, is a New York-based security consultant with ThruPoint Inc. McGraw-Hill has just published his book: "Computer Security: 20 Things Every Employee Should Know." He can be reached at brothke@thrupoint.net. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to free_spectrum@ziffdavis.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page