top of page
  • Writer's picturetony

These aren't the quotes you're looking for..

Another piece from my internal NSA blog (2011), approved for public release, with some new commentary afterwards.


These Aren't The Quotes You're Looking For 2011.02.27 - 03:42 pm

Have you ever read a quote that is so good, so perfect, that it just *nails* something you have been thinking about for years?!? Well, here's one about the Information Security business that had that effect on me a couple of years ago......


"I've long held the opinion that the community of 'Information Security Experts' agree with each other 90% of the time, but waste 90% of their time arguing to the death with other InfoSec Experts about the remaining 10%."

Hal Pomeranz

Deer Run Associates

from a blog posting, "Calabrese's Razor", February 26, 2009


Wow! How true. This notion has been nagging me for SO many years, but Hal puts it into simple words. This is a great business to work in, and it draws really bright, but really opinionated people. And we do spend SO much time arguing about that last 10%. I don't mind the argument at all, by the way, except to the extent that it paralyzes everyone into inaction.

I refer to this in public speeches as the "Security Jedi Mind Trick" - or "the key to making a living as pundit and consultant".

"Oh, you could perhaps solve 90 problems with that approach, but here's 3 more that you will *not* solve. Gotcha!"

So, over the last few years, I have tried to hear the debate respectfully, but avoid the trap of waiting for perfection. And in my public speeches, I often refer to my "old guy lessons in information security" (currently undocumented in total). One of them is to "Focus on commonality, create a way to manage differences".

That's the story of the NSA Security Guides and the national "consensus" movement that we have led. And think of all of the Community Leadership we do from VAO (e.g., certification authority for all DOD Red Teams, the DOD's Unified Gold Master desktop configurations, the confederacy that developed the Security Content Automation Protocols,....). These are all about focusing on the 90% we agree on, managing the rest separately...

I know Hal from his work with the Center for Internet Security, and I use this quote with his permission. I just wish I had been smart enough to say it first!



Some contemporary reflection on this topic.

Most of the 90% arguing about the last 10% is just time wasted by ego, diversion, speculation, and one-upsmanship.

I think that our industry was built on an implicit model - we are all "special snowflakes". Each enterprise is one-of-a-kind, our dependencies are unique, the risk appetite of our management should drive everything, etc. Well, some of that is actually true. But here's my modern version of the theme above.

In cyberspace, we all have more in common than we do that's different.

We use the same technology, share a common infrastructure, and are tied together in complex, dynamic, and often not-understood business relationships. Every enterprise is overwhelmed by complex technology, threat overload, tool fatigue, market "fog", regulatory and legal uncertainty, and a poor understanding of the risks they face. If we treat everyone as a special snowflake, then everyone is on their own against an unsolvable problem.

So a guiding principle for my groups at NSA was to focus first on agreement, commonality, and community.

Later I'll go through some detailed examples of how we made this principle real ("operationalized it" in DoD-talk), but for now, here's an early example that broke a lot of ground both inside and outside of NSA, and opened the door for countless other community projects.

IA Newsletter - Security Benchmarks-Vol5_No3
Download PDF • 1.44MB


Recent Posts

See All


bottom of page