Let’s #FixIt: Information security and the fud of the breach

EYEREPRTIf I told you tomorrow that a major corporation was going to be breached and a huge volume of credit cards or personal identifiable information was going to be released. You would not be surprised. “What is the big deal”, you might say. “Why should I care?” you might remark. If I told you, it was your information it would be closer to home. If it was your corporation and your job that was going to be affected it would be time for dram of Scotch. Maybe more than a dram.

Tomorrow morning when you wake up your organization is going to be breached. Your most sensitive documents are going to be available to anybody with an Internet connection. The total cost for breach will be calculated using silly metrics like users and the stock price of your company. The actual business impact will be relatively small and located within small pockets of the company. Yet a massive hit on productivity will happen as every person in the company opines on the outcome of the breach. Regulatory and legal oversight will increase and various states you do business in will peek out of the forest and give your company the hairy eyeball of shame. Three business quarters from now the stock will rebound and a bunch of new information security professionals will be waiting to be the sacrificial fires in the face of breach next time.

It is the information security churn cycle. A varied form of shame, blame, and constrain the problem. Today we have an opportunity to fix it. It doesn’t take technology, it won’t cost your company a dime, it might dramatically improve efficiency, it is shiny, it is old, it could be blue, but in reality all of it is common sense. It comes down to one sentence.

You are going to be breached get over yourself.

What we’ve done and how we got here isn’t germane to where we are going. The entire information security paradigm is changing nearly as fast as the iPhone release cycle at Apple. More than the simple stack of protocols and programming languages that make up the creative environment. The culture, use, uptake, and principles of how information integration occurs in our lives is outpacing the controls and techniques of information security. That leaves us with some grand challenges in securing information assets and as such we really need to start thinking beyond the box.

Let’s fix information security and look at metrics. The first thing we have to do is stop thinking of things as secure or insecure. It is an easy trap to fall into that something as simple as available or unavailable might be relevant. Yet what is three quarters of confidentiality? How much is ten percent privacy. There are quantifiable aspects and non-numerical aspects to security. We need to measure the right things and determine success and failure on those new metrics. Lots of people talk the big breach but what is the actual cost of a breach? That is a lot harder question to answer. Exposure of particular information or business practices is bad, but measuring that “badness” index is still in its infancy.

Let’s fix information security and look at users. I can use the best password possible and if a company doesn’t keep it controlled then it is useless. If we can kill passwords completely we might have better technical controls. If we can’t, then we need to know they are a stop gap barrier to information exposure. Blaming users for using the systems we have built as technologists is silly. Users should not know as much about security as the information security professionals. We don’t expect users to know as much about mechanics as an SAE master mechanic. We just expect them to be able to drive. Somewhat.

Let’s fix information security and look at money. Information systems are funded and built because they make users and organizations more productive. They cost according to Gartner nearly 20 percent of the operational budget, but we only spend around 5 percent of that information technology budget on information security. The information technology infrastructure stack now is a critical element towards many business sectors capability of being productive or even operational. Yet the companies in many cases have bigger line items for gates and guards than they do information security professionals. We need to invest in infrastructure asset protection capability and not fire them for being successful.

Let’s fix information security and look at reality. We are moving rapidly into the post PC era. The bring your own device world is here. Whether we do mobile device management or some other form of data protection is not germane. If you are still running stovepipes of information you are so far behind that relevance is going to be an issue. Information technology is becoming a utility and the skills gap is moving past PC techs and will move toward innovation and integration. The skills for the modern IT environment are less about core capabilities like up time and throughput and leaning toward dev/ops. We are past PC/Server and in the era of cloud and SaaS deployment. Next will be trans-convergence, and a topic for another day.
Let’s fix information security and look at risk. Defense in depth is dead. The advances in malware and other associated badness is making the edge look way less secure. Defining the edge of your network is getting harder and harder. In autocratic or dictatorial enterprises you get a level of control at the cost of a level of flexibility. In high availability environments the edge is soft, and even in those government and military applications what the edge actually looks like is changing. Your car with Bluetooth adapters may be part of your information enterprise. Don’t use Bluetooth? What about the routers and associated transmission systems between your home and the enterprise network. Edges are illusory and data security is the rising concern supplanting systems security. What you secure at what level is incredibly important and changing.

Let’s fix information security and look at culture. If you have information security teammates who look askance at users fire them. We don’t have time in a modern information enterprise to allow the prima donna security engineer culture to continue. This has been getting better, but vigilance is warranted. We have had a lot of celebrity information security over the last couple decades and enthusiastic amateurism that needs to stop. Anybody who has the keys to the corporate empire had better act like they know what they’re doing. They had better be respectful of the users. They had better be credible enough to testify in court if things get really bad.

Let’s fix information security and look in the mirror. Nobody has all the answers and the latest greatest fad is only going to cause pain. We chase a lot of unicorns and rainbows in information security because the reality is harsh. As practitioners and managers we need to invest in ourselves. What skills do we need? What people should we know? What information will help us? Are we building a technology infrastructure that facilitates organizational success or are we focusing on the points of failure at the cost of opportunity. Only our own reflection will tell us the reasonableness of our actions. Only through the lens of the enterprise should we be able to answer.

I surely don’t have all the answers in a 1200 word post. At the too long didn’t read end of the spectrum I can only try and generate interest and thought. I have a wall of books trying to solve all of these issues but they still remain. The problem with information security isn’t users. The problem with information security isn’t technology. The problem is us. Let’s fix information security and look at us a little closer.




Leave a Reply