Image

“If people don’t know that they are incompetent in an area in which they are trying to solve a problem, their solution is likely to be suboptimal”.[1]This is of significant concern, given the evidence of management hubris coming to light through the post incident reviews and aftermath of data breaches. There is also risk (analysis) paralysis[2], such as evidence of incomplete risk understanding, incomplete risk documentation, and evidence of inaction, which amounts to shouting about risk in a vacuum. Many of us attend meetings; read journals, blogs, and articles; and talk to each other about a subject we all know or write about ourselves through the myriad of communication channels available to us these days. Yet still the changes required are insufficient; the level of embedded practice is not taking hold; the “build security in” design principles have not been adopted sufficiently, as can be seen by the ongoing data breaches continually being reported in the news. Invariably, it turns out that the original chink in the armor was something basic, a fundamental security management tenet that should have been in place, such as patch management, vulnerability management, or gee, not using a weak admin login password. More worryingly, there have been security professionals involved at some point in the journey of all the organisations experiencing breaches. There will also invariably have been audit reports highlighting areas of concern requiring attention. With respect to those who I know personally are involved, the notion of a UK “trustworthy software initiative," however well intended, is actually naïve given that it is doomed not to succeed sufficiently to address the severity of the situation we find ourselves in if it cannot actually address the source in mind. The majority of application-level software is written in the required languages for iOS or Android, and thus the companies that need to be influenced to ensure the security of their platforms are Apple and Google. To the theme of this blog, consider this the context of the original trustworthy computing initiative – one that is 13 years old. When will enough be good enough? Not for as long as the criminals are better-funded and better-resourced than the rest of us, sadly. Being compliant is not the same as being secure. We’re seeing that clearly given that many of the organisations that have experienced significant breaches over the last few weeks, months, and years have all had, to some extent, some regulatory or industry body standard to which they had evidence of compliance (PCI, HIPAA, ISO27001 etc) irrespective of the actual law of the land to which they should also be compliant with. There are data protection/privacy laws the world over that have central principles around protecting people’s data. It is not rocket science.There is a collective failure in the system of systems here – part of the complexity problem previously identified. We should have matured beyond tick-box compliance; we know that there is applicable legislation, and irrespective of our own subjective views on the validity or soundness of the constructs of the law, many countries have by now taken the time to commit to the legislature a statute that addresses either the cyber domain or the need to protect data. So what’s going wrong? Why are security professionals and auditors not being listened to? (Problem 1 – they speak different languages to address the same core issues – not good... Let’s return to that in another blog post.) Why are the available recommendations or identified risks not being adequately addressed? These are the questions that keep me awake at night! We are collectively risking significant backlash as a profession if we don’t start to really grab this ugly reality by the proverbial throat and shake things up. It’s time for a revolution because our evolution appears to be failing miserably. Remember this, ignorance is not bliss, nor is it a defence in the eyes of the law. There should be no excuse given the availability of information for seeking out the truth, or at least ensuring one has researched and is well informed before embarking upon a perceived new route.
[1] Funston, F. and Wagner, S. (2010) Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, Indiana: John Wiley & Sons, ISBN-13: 978-0470247884 [2] Hillson, D. (2014) The Risk Doctor’s Cures for Common Risk Ailments, Virginia: Management Concepts Press, ISBN: 978-1-56726-459-3
Image
