Yoran and Spaf’s Law — in memory of Amit Yoran
I originally wrote this article in 2004.
Sadly, Amit Yoran, one of the pioneers of modern-day information security, passed away yesterday.
He was as bright as they get and as nice as they get.
He left the information security industry, but more importantly the world, a much better place.
May his memory be a blessing.
— — — — — — — — — — — -
In his book Practical Unix and Internet Security, Professor Gene Spafford of Purdue University spells out Spaf’s First Principle of Security Administration:
“If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.”
Spaf’s First Principle is a cruel reality faced by many information security professionals. They are often treated like a cross between Charlie Brown (constantly picked on) and the late Rodney Dangerfield (who gets no respect).
Amit Yoran is a prime example of Spaf’s First Principle. On October 1, 2004, Yoran resigned in frustration after only one year on the job as director of the National Cyber Security Division of the Department of Homeland Security. Yoran lacked both title and authority…
