I am no longer in the Food Service industry...thank God! If any of you have ever watched Hell's Kitchen on TV, trust me...it is not far from reality. Working in high technology means better pay, less heavy lifting, and weekends and holidays off (more or less).
Still, I learned some things in the Food Service industry that serve as valuable lessons to this very day. One thing I learned is that regardless of how hard you work, you are inevitably judged for the last good (or bad) deed you accomplished, often irrespective of your history. Memories are short, and you always have an opportunity to either redeem yourself, or fall flat on your face. The choice is yours.
Another thing I learned about the Food Service industry is that they have 2 objectives:
- Make Food
- Get Paid For The Food
Hey! What can I say? I am nothing if I am not perceptive.
As it turns out, this carries over into both the Health Care and Energy industries. The Health Care industry wants to deliver health and get paid for it. The Energy industry wants to deliver energy and get paid for it.
We can apply this logic to just about any industry we choose, as it turns out :-)
Okay, so I am here to talk about security. What does all of this have to do with security?
As it turns out, security is essentially about safety (or perhaps safety is really about security). The two go hand in hand...and perhaps can be conflated in some (if not all) cases.
So let's go back to my life in foodservice for a moment. Having spent many years working as a chef in restaurants, I noticed a few things about safety that were recurring themes. One was that every single restaurant I worked in had a fire safety system installed by a competent installer, and (most importantly), the fires safety system itself was built by a competent manufacturer. After this was done, the fire inspector would perform an inspection and make sure it satisfied the requirements for fire safety, and the fire inspector would periodically return to make sure all was in order. Eventually, we saw the arrival of the National Fire Protection Association's Certified Fire Protection Specialist Certification Program, which is ANSI accredited. Additionally, UL has a program in place for approval of fire safety systems (e.g. sprinklers) in use today.
Having worked in a restaurant where the fire safety system has triggered, I have to admit that it is very effective. However, in retrospect, the fact that I find most interesting is that not one restaurant, hotel, or resort (and I worked for some big resorts) had any staff on board who was responsible for the design, implementation, and maintenance of the fire safety system.
They simply hired someone to put on in, got it inspected, and then went on with the business of making and serving food. I have to say, it works splendidly.
So let's take this back to the Health Care and Energy industries for a moment. We need to understand that what we have to do in the security world is get to that point where health care and utility staffs can focus as much of their time as possible on delivering what they are in the business of delivering. We are currently living in an environment where we have place nearly all the burden for securing health care and energy systems on those who are ill suited for the job. Sure, they are getting better...by hiring staff to help get them up to speed, and reaching out to professionals, but is this necessarily the desired end state.
I fully realize that the food service industry is not saddled with the enormous burden of protecting their network stack from intrusion, and that no level of cyber attack is likely to mess with the integrity of their signature dish covered with delicious Béarnaise sauce. Yet the threat of fire is very real, generally quite devastating, and ever present. Nonetheless, we have managed to create a management system that is both extremely effective and extraordinarily simple to live with.
...and let's look at the health care industry for a moment.
We are all familiar with the FDA (the Food and Drug Administration). Hospitals use health care equipment and use drugs that are FDA approved...and absolutely do not use any health care equipment or drugs that are not FDA approved. Okay...at least they better not...or face stiff fines and immediate shutdown (believe me, the FDA is hardcore about their rules). Although it is a US organization, FDA approval is so highly regarded globally that most nations accept FDA approval as a "green light" for use in their own countries. Health care providers do not have to manage staff to ascertain the safety in using FDA approved products. They simply stick with the FDA approved products and (ostensibly) use them to deliver good health care.
I fully believe that we will eventually come to terms with cyber security issues, as we have come to terms with fire, and as we have come to terms with "snake oil" health care solutions of the past. As Paul Kocher of Cryptography Research indicate during his excellent keynote at my Smart Grid Security Summit this past month, security today is still struggling with the same "snake oil" issues that health care had to deal with in the past. As we continue to move forward with addressing cyber security issues, we all need to keep in mind that a lot of what we hear is going to be "snake oil", and we should look towards how other safety issues have been addressed in the past, and perhaps learn some valuable lessons.
Okay...now I'm hungry.