Fighting the 5 I’s of Information InsecurityRajesh Unadkat
Every time I see one of these reports, I fight the urge to “live off the grid.” Then I remember that I make my living in the technology business. But the point remains, the IT security paradigm is broken. Not just because the threats are increasing, but because the velocity of deconstruction is outpacing our ability to prevent catastrophic failure. The idea that we can lock everything down from the bottom up approach is not working. We need to implement good practices, policies, auditing, and enforcement to keep cohesion in the security posture. It has to be designed from the bottom up, but implemented from the top down in the business. We know that employees are the point of weakness so how do you improve your human-factored information security posture given the rampant proliferation of shadow IT applications? You know banning things rarely works. At least not for long (see social media in business).
Soft underbelly of IT security. Your cyber security locks down the perimeter, but how do you prevent the toxic brew of incompetence, inconsistency, inattention, indifference, and ineptitude? What is the difference between incompetence and ineptitude in security? Incompetence is poorly designed processes that ensure holes from the onset. Ineptitude is the poor execution of said processes by end-users. If you design a process that solely relies on users to give their word as to not using outside software without any controls or auditing, your plan is incompetent. Whether your employees actually follow through on their training, the competent ones will, but the careless ones will default to ineptitude in either giving out their passwords to social engineering, leaving their laptops on a plane, or using a really bad password taped to their desk.
Proactive prevention is the biggest challenge and hardest to maintain. Put the graphics together and you have represented a truism of IT security risk. Business users and IT staff usually understand the risks, but don’t think it really applies to them. A corollary to this is that IT security knows it applies to them, but being paranoid and secure is the difference between passivity and action. What are you going to do about it proactively? Training & Awareness not enough. How do you manage what you don’t own and don’t know exists to protect the organization from bad acts or negligence?
Then take this out to your vendors. Even less control two degrees removed. Take your vulnerabilities and magnify them exponentially. How do you audit the vendors to make sure that you close the largest holes the best way possible? You will still have holes in the Swiss cheese, but you want to ensure that their holes don’t line up with yours so it is hard for the bad guys to get through their systems and yours’ is a straight shot. How do you know? Based on the evidentiary support about the number of undiscovered breeches, it is hard.
What do you do about it given all of the counter-measures that you do today still leave you insecure?
Educate, educate, and educate. Audit, Audit, and Audit. And then you build a continuous system for compliance, auditing, and risk management that manages by exception rather than responds to exceptional security events. Design for human nature rather than design for human intervention.