While the military is not without shortcomings, I take issue with any attempts to dismiss the military security mindset, as Gartner vice president Jay Heiser did in his recent column
Military science has spawned a number of successful technologies and methodologies. Military R&D changed the face of the world several times over, as military engineers developed the means to overcome a previous generation's successful defenses. The nature of the problems facing information security professionals are not much different from those the military has faced for centuries: advancing technology, evolving threats, surprises and serious consequences.
Military engineers learned quickly that no single defensive mechanism, be it a moat, "great wall" or network of trenches could defeat an advancing enemy. However, by combining multiple solutions -- i.e. a strategy that we've come to know as defense-in-depth -- they could mitigate the impact of an attack and slow an enemy's progress enough that countermeasures could be deployed.
If you are familiar with the concept of a virtual DMZ -- an area that separates a protected network from a hostile one -- you are surely familiar with what the acronym stands for: demilitarized zone. For those without a sense of history, the patch of ground that divides the nation that was once called Korea is a real-life DMZ.
How many security firms were started or staffed with veterans of defense and intelligence agencies? Military officers working in intelligence and infosec fields started firms like WheelGroup Corp. and Riptech Inc., now part of the security practices of Cisco Systems Inc. and Symantec Corp., respectively.
Also, it's worth noting that there would be no commercial infosec industry were it not ARPANET, the precursor to the Internet and an effort sponsored by the U.S. Department of Defense. After ARPANET was threatened by the Morris worm in the late 1980s, the DOD funded what would become the Computer Emergency Response Team Coordination Center (CERT/CC), which has served as the template for countless commercial imitators.
There are certainly situations in which military-oriented methodologies are not suitable for use in the commercial world. Military goals tend to be final and absolute, while businesses have to maintain a fluid state of flexibility, able to undo decisions as market dynamics change. Problems and mistakes in business can typically be addressed with marginal consequences.
That's not to say mistakes aren't OK in the corporate infosec world, yet organizations large and small often fall victim repeatedly to the same types of attacks and continue to follow bad practices, at least until a ChoicePoint-like scandal exposes their actions. That mindset simply doesn't cut it in the military. It can't afford to make security mistakes when lives are on the line.
Last but not least, it is the defense and intelligence communities that fund think tanks and graduate schools, which ferment the ideas that will evolve into the security solutions of the future. For all these reasons, the military security mindset deserves a salute, not the brush-off.
Michael Tanji is a veteran of the Army and several intelligence agencies, and an associate of the Terrorism Research Center in Arlington, Va.