The adversary factorFrank Breedijk
There is one thing that sets aside Security from all other areas of expertise that you find in modern day businesses. No, it isn’t our love for black t-shirts, the infinite amount of Club Mate we seem to be able to digest, or our sticker covered laptops. It is that adversaries are part of the daily routine. Security in that sense is a negative occupation, since you are always securing yourself from somebody.
Even when you compare seemingly similar fields like safety and security, adversaries make the difference there too. Both safety and security professionals try to prevent that assets are harmed by threats. In the case of safety management these threats can be natural (e.g. flooding) or manmade (e.g. workplace accidents), however they are never intentionally created to harm the asset. Security teams on the other hand deal with threats that are almost exclusively manmade and do have the intend to harm the asset.
Because of this 'adversary factor' the interests of safety and security are not always mutually beneficial. Let’s take the example of fire safety. For the benefit of the people in a building it is mandatory that doors unlock themselves in case of a fire, allowing everybody to leave the building in an orderly fashion. However, from a security standpoint it is much better to keep the doors locked to protect assets in the building. While safety does not have to account for an intelligent fire. A fire that knows it needs to strike when a building has the most people in it. (But it must account for a fire that by accident happens at that time). However, security has to be prepared for an attacker who willingly sets a fire in order to unlock the doors.
“2013-02-17 Flee, you fools! II” a CC NC image by Henning Mühlinghaus (https://www.flickr.com/photos/43144679@N00/8509120653/)
Security measures are forced to evolve, because the attacker evolves as well. Fire will not all of a sudden start to behave completely different, but attackers may come up with new abilities overnight. This happened for instance in April 2017 when a group calling themselves ‘The Shadow Brokers’ leaked a number of NSA-exploits to the general public along with a framework to use them (similar to Metasploit). (See: https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/) Overnight two things happened. Everybody gained insight into the abilities of the NSA acting as an adversary, and the other adversaries obtained abilities they didn't have before.
Dealing with adversaries takes a special kind of mindset, which makes (information) security fun as well.