With apologies to the ghost of Hunter S. Thompson, I write this as one of Hunter’s favorite words for a person who was fresh meat in battle, “Rube.” Thompson’s battle theaters were politics, war, corporate malfeasance, sports culture and media as infotainment.
Personal and Professional Data Deluge
My new battlefield is IT security and compliance automation. My first tour of duty was the Gartner Security & Risk Management Summit 2010 (Participant threads on Twitter here: http://bit.ly/9EmuJB ). I prepped for this summit by carnivorously cutting my teeth on data breach stories past and present, IT security spending trends, and leaching off the minds of Infosec’s (Information security) indentured servants, on the battles between “white hats” and “black hats” on the Wild Wild Web, and discovering other ominous terms out of Sci-fi novels like“Cybersecurity,” “Bots,” “APTs,” and “Widening Attack Surfaces”
Jerry Bruckheimerwould have blushed, to be sure.
What washed up on the beach
A few observations after wringing out the jet lag and the PowerPoint deluge from my brain:
- A random sampling of attendees at sessions and lunch tables revealed that at the end of the day “Security” centered on protecting personally identifiable and critical business data and infrastructure from being taken, taken over, lost or peppered with unauthorized access.
- Security, IT or otherwise, is measured day-by-day, hour-by-hour and is a life-long journey, not a destination
- “Absolute security” is not only impossible – it can be as harmful, if not more harmful, to a organization than a full-blown breach
- Fear, Uncertainty, Doubt and Dread (FUDD) is the prevailing mood
- John Ashcroft being self-deprecating was uncomfortable for both of us
- I left more insecure than when I got there
Audit Fatigue, Breach Fatigue & the “Red Bull” of Knowledge
When I say insecure, I mean to say that once you dive into the vernacular of threat vectors, the data that points you toward the fact that great harm can come from something as seemingly as innocuous as a worm and that organized crime prefers data theft over illegal drugs as its most profitable illicit enterprise – human nature dictates that you’ll feel more than a little spooked.
And yet…despite evidence to the contrary…the more I talked to people on the front lines of protecting personal and business critical information and IT infrastructure from Black Hats, well-intentioned white hats and IT admins with baseball caps or no hats at all, the more I came to realize that they want to put FUDD out to pasture with knowledge.
A survey of people whose names I’ve forgotten, but faces I might recall, resoundingly said they were not only experiencing audit fatigue from having to pore over data logs until they were blind from seeking out suspicious needles in a stack of less suspicious needles–but were also well worn of data breach horror stories (3.4 million search results on Google as of this writing).
One woman from a well-known insurance company told me flat out: “I don’t need to be scared into taking action. I just need to know what I can do to stop it,” pausing briefly, then continuing, “and how to convince my boss that we need to do it.”
So, for her and the others I listened to, spoke with or spied on, I’m going to hunker down in my IT Security foxhole to find the “HOW?”and continue my battle to neutralize the FUDD
I heard over and over that Goal #1 was to protect data with the visibility to find threats before the breach, the intelligence to take decisive action and the automation to both keep operations up and running and securely use data through automated security controls to get business done. Find out more on how Tripwire does this here.