I find myself asking if recent hacking/attacks on organisations is just a blip, or does it indicate another significant change in the way we view InfoSec?
Let’s give this some context. I have been working in the vendor part of the InfoSec world for well over a decade now, and have been fortunate to be in the right place at the right time to see changes in our industry as they have happened first hand. Three events spring to mind: the emergence of email-borne viruses going mainstream ten or so years ago, the drive for compliance and rise of DLP-type technologies in the middle part of the decade, and towards the end of the noughties, the mass adoption of encryption technology. All three saw changes in the way technology was adopted and used by organisations.
The strategic changes have also led to changing times and requirements in the use of technology in the wider public sector. We’ve seen the requirements for data sharing result in the GSi and its offspring. What started off as the e-Government initiatives, and was formalised by the Blair Government, has resulted in channel shift across the board. DVLA’s requirements to reduce costs delivered to my mind one of the best projects of the last ten years, the online tax disk project, and in a wider sense, the Government Gateway. In latter years, a need to manage the sheer volume of data being created, held and published has resulted in the creation of the ICO.
So the question I ask myself is, what now? Every day there is another report on another hack. Citibank, Codemasters, Sony, RSA and a stream of governments around the globe are on the receiving end of deliberate, targeted and malicious attack. In a wider sense, documents are obtained and published via Wikileaks, and the law is challenged by the publication of details in online environments previously covered by Court order. Open data initiatives are driving information to the periphery of organisations, just as fast as the same organisations are recoiling from putting it there. Add in new technologies in the mobile environment and whatever Cloud manifests itself as and we have a stew of complex and difficult ingredients to digest.
There is only one answer to my mind. A fundamental reappraisal of the approach is required, and brutally, we have the bad guys to thank. Who here hasn’t struggled to get a security project signed off? Who hasn’t spent time explaining the impact of a breach and its likely cost, only to get the impression that you don’t have everyone’s full attention. Security has been seen as insurance, rather than an enabler by those upstairs. As a result, it’s often had short shrift at budget allocation time. In highly regulated industries they haven’t had a choice, and despite the ICO’s best efforts, we in the Public Sector aren’t actually that regulated. So the fact that organisations across the world keep getting savaged, and it’s costing money both in the immediate and longer term, means its changing. Legislation is being enacted by the EU to help, but I believe that it’s time for InfoSec professionals to go on the offensive (but in a nice way).
So, we have people’s attention. In order to spend the attention wisely, I maintain that the Health and Safety approach is the correct one. Security needs to be properly baked into projects. We must assume that something somewhere is going to go wrong at some point, and look to mitigate, but crucially, to remediate. Like Health and Safety, we have to assume that people will do silly things, and treat them accordingly. Metaphorically, we need signs up, barriers placed around open manhole covers, hard hats on and people not carrying scissors about in a stabbing grip. Health and Safety is an easy target for comedians, and people sometimes feel that they are treated like children because of it, but road deaths are a fraction of what they were 20 years ago, fewer people die on building sites these days and airline travel is the safest it’s ever been.
The world today requires InfoSec Professionals to provide clear, concise and above all flexible coverage to allow our respective organisations to do the things it needs to do better and for less cash. Our world has changed enormously in the last 12 months, and we must change with it . Simply banging dustbin lids together yelling ‘we are all doomed!’ will not suffice anymore. The Health and Safety approach will work, and I believe we have a mandate to do so.