A Balanced Response to Allen Gwinn

Allen Gwinn is a Professor of Practice at the Southern Methodist University’s Cox School of Business. In a recent article published by The Hill, Allen Gwinn shared his bad opinions about why data breaches keep happening and what we should do instead.

Tempting as it may be, I’m not going to dunk on Allen in this blog post. Virtually everyone on Twitter who saw his opinion piece dunked on Allen.

My favorite part was where you said we should ignore all current infosec advice and go back to older advice! We should ignore current medical advice and go back to leeches too!

— @cooperq 🏴 (@cooperq) May 18, 2021

Allen has been a self-described “gadfly” since at least 2007. Dunks won’t change his mind or shame him into rethinking his poorly thought-out arguments. But rest assured, they are poorly thought-out, and I will explain why.

Allen Gwinn’s Argument

If we all read the same opinion piece and not some cleverly subversive Rorschach Test designed to expose our cognitive distortions, this should be an uncontroversial summary of the argument he made.

1. Despite all of the work the security industry does, security breaches keep happening.
2. The reason they keep happening is, therefore, because the “industry best practices” are the ones who are wrong!
3. The reason these best practices are wrong is because of all the red tape that are dictated by so-called best practices.
   • For example, network operators don’t have complete visibility into the network at the same level an attacker would.
4. The breaches will continue until our industry best practices improve.
5. The way companies should improve the industry best practices is to embrace “holistic” approaches to information security.
6. Also, companies should implement punitive practices to punish employees who fail the brutal gauntlet of computer security.
7. Companies should also consider never hiring an information security professional if they’ve ever worked for a firm that has ever had a security incident.

The Good Parts of Allen’s Argument

I’m generally sympathetic to the argument that our best practices are wrong.

From an outsider’s perspective, it’s incredibly frustrating to see breaches keep happening despite all of the red tape, certifications, gatekeeping, and the egocentric posturing and pontificating of security practitioners online.

From an insider’s perspective, the security industry’s best practices largely the result of survivorship bias and not the consequence of a methodologically sound process.

We, as an industry, keep shitting out checklists like the OWASP Top 10 and telling software developers to use them as a scoring rubric for how secure they are, instead of distilling the core lessons of application security into a set of universally applicable tenets that one can drill down into if they need more specific guidance. We could certainly do better by teaching application developers about threat modeling earlier in their education and developing frameworks like STAMP/STPA-Sec. Instead, we keep sending out phishing campaigns that promise much-needed financial relief to incredibly desperate people with the intent of punishing anyone who clicks.

My point is, no matter where you stand, there’s a lot you can point to, and correctly criticize about, the security industry’s best practices.

But the problem with Allen’s framing is: Most of the largest security breaches that impacted most of our lives in recent years were the result of the best practices not being followed.

Equifax was famous for their reliance on weak passwords and neglected to patch Apache Struts for months after vulnerabilities were known to the public.

The root cause for the Colonial Pipeline ransomware attack hasn’t been made public yet, but it was likely the result of infrastructure challenges and an underfunded security program to try to meet those challenges. (I’ll update this blog post if the specifics are made public.)

Although I’m sympathetic to Allen’s arguments that our best practices aren’t good enough, his reasons for claiming so don’t stand up to scrutiny, and he offers no real solutions to the problem–and his opinion piece only gets worse from here.

The Bad Parts of Allen’s Argument

After making an understandable-yet-flawed swing at the security industry’s best practices, Allen’s opinion piece goes immediately off the rails into the territory of dangerously ill-advised.

What can businesses and industries do right now?

Implement a “one strike and you are out” hiring policy for information security employees. When they fail, do not let it happen twice.

Also, never hire an information security employee who has ever worked for a firm that has had a security incident. Their “industry best practices” did not work for the previous employer, why would they work better for the next victim? These former employees bring disaster.

Allen Gwinn, Our cybersecurity ‘industry best practices’ keep allowing breaches, The Hill (2021).

Okay, deep breath.

Let’s talk about these suggestions with minimal profanity.

On “One-Strike And You Are Out” Hiring Policies

Computer security is hard. (If it wasn’t hard, companies wouldn’t get breached so often!)

Computer security is hard because defenders have to be right 100% of the time, and attackers only have to be right once. Attacks only get better, they never get worse.

Many of us disagree about how to make computer security less hard. I believe ubiquitous hardware security tokens, multi-factor authentication, and support for anonymous credentials (i.e. Privacy Pass) would eliminate a lot of successful attack vectors (i.e. phishing). Others might disagree with me due to the cost of implementing this universally.

What certainly won’t work is turning computer security into a brutal Darwinian gauntlet where only the securest can survive. I find it alarming that a Business School professor is ignorant of the wisdom of Thomas John Watson, Sr. of IBM:

Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. No, I replied, I just spent $600,000 training him. Why would I want somebody to hire his experience?

Thomas John Watson Sr., IBM

Turning your I.T. department into the Thunderdome will only serve to exacerbate the existing problems of anxiety and burn-out, especially among junior employees. The increased turnover caused by brutally firing people for making a mistake will only starve companies of institutional wisdom and increase their blind spots, thereby making attacks more likely.

And we haven’t even gotten to the worst of Allen’s opinion piece.

On “Never hire an information security employee who has ever worked for a firm that has had a security incident”

This one doesn’t even make sense!

Allen’s assertion here is the “have sex with a virgin to cure yourself of HIV” of computer security.

Do you know how people gain experience learning to defend against attackers, Allen? By putting skin in the game and responding to security incidents, Allen.

What do you think penetration testing is?

The solution to all of our business’s security woes certainly isn’t to hire people who have only worked for firms that have never had a security incident.

If you were to implement this policy, you would face two problems simultaneously.

1. Nobody with security experience would be able to get hired anywhere anymore, because all of us have worked for at least one firm in our careers that has also had at least one security incident during their company’s history.
2. The only firms that would likely be able to claim “no security incidents” aren’t the ones who “haven’t been hacked”, but rather, the ones who have no indication of the attacks that are actually occurring and whether or not these attempts are successful.
   
   If any company claims a perfect security record, I immediately find them suspicious and have a lot of questions about their monitoring infrastructure.

If you’re trying to protect people’s private information and prevent pipeline disruptions, the solution isn’t to ban everyone that isn’t an ostrich from the industry.

Furthermore, even if you employ the most savvy people in the industry, if the company they work for doesn’t enable them to do their job effectively or doesn’t implement their suggestions, a data breach is likely to occur. Should they be barred from entry from the industry for the rest of their careers for an outcome they couldn’t control?

Why Does Any of This Matter?

A lot of people think Allen Gwinn’s opinion piece in The Hill is satire, but his Twitter bio currently reads “I.T. Professor. Advocate for retooling the Information Security industry. Return to the roots of technical competence and accept no losses or breaches.” and his feed is filled with exchanges like this.

https://twitter.com/allengwinn/status/1394843824992755718

So the natural response to this information is, “Why are you wasting your time talking about some troll’s bad takes?”

Two reasons.

First, Allen Gwinn is a University professor and probably has exposure to impressionable students. If this is the sort of nonsense he’s filling students’ heads with about information security, he’s going to create generations of poorly informed business majors who will effectively sabotage their company’s efforts to improve security.

Second, his bad takes were published in The Hill, which has a nontrivial readership. The unchecked proliferation of bad advice and flawed reasoning can cause a combinatorially explosive amount of harm that’s difficult to visualize.

When someone shows their whole ass to the world, sometimes you don’t want to feed the trolls. Other times, you have to address the clown and say, “This is not acceptable.”

And who better to tell someone they’re being ridiculous than a furry who sometimes writes about cryptography?