We are told that death and taxes are the only absolutes in life, but I would like to propose we add security breach to the list. As long as humans have had secrets, there have been agents at work to expose and compromise them, even well before computers. Clandestine information gathering as a weapon through intelligence, espionage and propaganda, is as old as the written word, with references in ancient literature by Mesopotamians, Sun Tzu in China, Chanakaya in India and the ancient Greeks. The history of man is a history of deception. In the timeline of data security, technology is merely a paradoxical accelerant, providing increasingly efficient tools to both subvert and defend, increasing complexity, while making it easier to control.
This week I presented at the Portable Computer and Communications Association (PCCA) workshop and participated on a panel where we discussed the security considerations of big data. The scale and complexity of systems is increasing at an exponential rate, with even more data generated in the process. A single SMS message generates more than 20 log files through a carrier’s infrastructure, multiply that by the 2 trillion SMS messages sent in the US alone in 2011 you begin to understand the enormity of data being generated. The exponential increase in the data we collect and diversification of where the data lives, makes securing it all the more difficult. The same increase in computing power that helps process and protect the data is used by attackers to scan, exploit and harvest it. Regardless of motivation be it financial gain, hacktivism, warfare or simple malicious intent, security breaches will continue.
Organizations can invest in technology and establish policies to help reduce the risk of a breach, establish controls to detect when they occurs and have plans in place to react when it does occur, but there is no way to guarantee 100% that you won’t have a breach. When the board asks security and technology executives “will we be hacked?” it is your job to explain to them that it is not a yes/no question. It is not a question of “if” you will be breached, but “when” and to “what degree” and explain the measures you have in place to mitigate the risks associated with a security event. By taking a risk-based security management ( RBSM ) organizations begin to focus on reducing security risk by establishing metrics and baselines to measure and improve their security posture.