We’re all Witch Doctors
In primitive societies and cultures, there was a widely held belief that many of the forces controlling man’s fate were, well, outside of the control of man. The notion that we could control something akin to “risk” would have been considered pretty far-fetched indeed. Listening to a group of security industry professionals discussing the problem of how to control, or manage, risk in their industry at a recent conference in Silicon Valley, one could easily wonder whether the notion wasn’t as far-fetched as it might have seemed to a bunch of cave-dwellers huddled around a primeval campfire.
Holding back the hordes
To begin with—how does one manage risk in an age when all the risks have yet to be identified, and new ones are being created and dreamt up every day (if not every hour on the hour)? The hordes are truly at the gates. And it is our job, as security professionals, to keep those unrelenting hordes outside our employers’ gates, by continuing to secure networks and devices and the rest of the security apparatus—that is, by protecting not just the company’s data, but its vital information. And, my friends, they are not the same thing.
For the last 5–10 years, traditional thinking in IT security has held that securing the networks—controlling access to the data—was the key to maintaining the integrity and security of a business’s operations. That’s a job we have been doing well enough. (Or so we thought. Or were we just deluding ourselves? More on this later.) A decade, 15 years ago, we built the firewalls to keep out the three hackers down the road in Berkeley. In other words, we controlled and managed access to the company’s data from outsiders, and essentially sat back, thinking we’d succeeded in establishing and maintaining IT security. We felt we knew who the “bad guys” were, and how to stop them from stealing the company’s data. But we never really asked ourselves what the new threats to not just data, but information, security might look like a year down the line. Five years. Ten years.
In fact, few of us paused to ponder what difference(s), if any, there might be between data and information, and what the implications for our industry might be resulting from said difference(s). Neither did most of us address—at least, not in any comprehensive, strategic fashion, anyway—the risk, or threat (again, these are two different things) from those working within our own organizations with authorized access to the data and the information. As a result, a lot folks have been going home at night—each and every night—with some of their company’s invaluable information stashed away on their I-Pods (or other storage device of choice).
So what am I saying here? I am saying we have been deluding ourselves for quite a while now, thinking that our jobs securing data/information are done. So where does that leave us now? Where do we go from here?
Trust, but verify
I think trust is key. I’m not talking about naiveté. I’m just saying that bad things are going to happen, so let’s minimize the threat by nurturing mutual trust and confidence. In particular, you can educate your people as to the issues pertaining to information security, thus boosting awareness of those issues, and you can provide training and perform pre-employment background checks and the like. The point is, we can no longer afford, when planning, budgeting for, and implementing IT security, to think only in terms of protecting data networks, devices and assets. We will have to think increasingly in terms of how to monitor information usage. And this inevitably brings us right back to the notion of trust: there has to be some significant degree of trust in any business, a faith, if you will, that you can count on a certain minimum level of trust in how your employees handle the information and data to which they have access. What it comes down to, as one of the conference participants put it, is this: People (your employees) are either scum—information thieves—that need to be eliminated, or they are entities that need to be trusted. After all, you need trust in order to be able to make a business—any business—function.
Looking toward the future
Monitoring behavior and usage should prove to be a major part of doing IT security in the future. Intelligence gathering is another potentially very powerful tool that will be used increasingly to protect our infrastructures and to safeguard our businesses, as part of an appropriate risk management life cycle. In more general terms, we should try and be both proactive and reactive to the new threats that we know are coming our way, and which no doubt will continue to come our way. Having a more forward-looking threat assessment strategy may also prove key to our future success in improving and enhancing the safety and security of our businesses. That way we will not be mysterious workers of wonders or witch doctors, we will be advocates of the business with effective tools for promoting a productive business culture.