What are the key elements of a good security program?Why did you answer that way?Seems a lot of security is \u2018handed-down\u2019 knowledge. We pride data and evidence-driven decisions while suggesting security is too hard to measure and pin down. Curious, no?Jason Brvenik (LinkedIn, @vrybdpkt), CTO of NSS Labs, suggests it\u2019s time to challenge our assumptions and question the dogma of security to get better results. Jason\u2019s career is marked by recognizing difficult challenges and applying new technologies and strategies to counter risks.As\u00a0CTO at\u00a0NSS Labs,\u00a0Brvenik oversees the company\u2019s renowned independent testing and validation of security technologies, helping buyers find \u201ctruth in security.\u201d Prior to NSS Labs, he served as\u00a0Principal Engineer in the\u00a0Office of the Chief Security Architect at Cisco, a role he assumed following Cisco\u2019s $2.7 billion acquisition of\u00a0Sourcefire\u00a0in 2013.\u00a0Brvenik was a\u00a0Sourcefire Fellow and vice president of Security Strategy\u00a0at the time of the acquisition. He spent 11 years at Sourcefire leading diverse business and technical operations for one of the security industry\u2019s most influential and disruptive companies focused on network security and fighting malware.He sets up and slaps a shot to challenge our dogma in security:Confronting dogma and outsized assumptions in cybersecurityI am always surprised at the outsized influence of assumptions and dogma in our cybersecurity field, since we operate in a world of objective results. These incumbent attitudes remain just below the surface and are easiest to spot when major incidents like the WannaCry or NotPetya attacks flood news cycles.First\u2014look at assumptions. Few things in security are certain, but it is striking how many decisions are still guided by gut reactions and what\u2019s assumed to be true. Take the \u201cdefense in depth\u201d concept of layered security. No one disagrees with the theory here. Yet despite our now mobile and cloud-driven world, the model continues ad infinitum, where new layers are continually deployed in front of each other to the point where actually managing all the layers introduces new challenges.Defenses too deep to manage compound security problems, because new tools offering temporary peace of mind obscure the question of whether any real benefits offset their additional costs. Venture capitalists might not like to hear this, but I think we are already saturated with products for fighting known security spending catalysts like ransomware, which can and should be countered with existing technologies and practices.There has never been a greater premium on being able to measure the performance of security products, people and processes.Now look at dogmatic arguments characterizing security\u2014too often used with media, executives and other crucial audiences. We still hear voices say that ransomware victims get what they deserve because they did not patch. Other experts lambast users running any version of legacy software. Blaming the victim is no more acceptable in the cyber domain than elsewhere. Yet others assert that developers cannot ethically end software updates for even decades-old code. Who else has heard that attribution is a crucial, fundamental principle of defensive postures\u2014except when it is a completely irrelevant waste of time and resources?Where does dogma come from? It is too easy to blame vendors and marketing hype. Dogma is ultimately fed by upbringing. We all learned security at different times in different organizations where we found reassuring \u201ctruths.\u201d Depending on our mentors and the organizations we served, instincts on attribution, the human factor and other flashpoints make perfect sense to some CISOs and sound irrational to others.With each of us responding to more executive questions and oversight, we owe it to ourselves to re-think our convenient illustrations and arguments.\u00a0Sometimes posing questions in heated situations is more important than registering an argument. We will never have all the answers and always draw on experience, but this does not mean we should settle for guesswork or polarize conversations.My analysis (color commentary)Jason nailed it. We rely on dogma and assumptions to make decisions while searching for evidence. I do think we\u2019re at a pivotal time in the industry, and the more we bring this up, challenge our assumptions constructively, and support each other in the quest for truths, the better we\u2019ll all be.Your turn\u2014reactWhat do you think about the dogma and assumptions of our industry? How do you propose we bust some myths and work together for a better tomorrow?Take it to our Facebook page or engage with us on Twitter (@catalyst & @vrybdpkt).Ready, set, react!