David Lacey's IT Security Blog

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...

It's hard to ignore the report by Northrop Grumman Corporation on the Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, if only because of its size and authoritative style.

The title gives a hint as to what to expect: a lengthy, 88 page assessment which any good journalist or diplomat could have condensed down to a page with a bit of effort. Even Bruce Schneier has declined to read it, relying on his readers to pick out the salient points.

Written in the style of a military standards manual but littered with superfluous adjectives and acronyms, the report tells us that the Chinese are serious about cyber warfare and aim to penetrate our systems to steal information and perhaps change the data.

Yes, that's what we'd all assumed for many years. So what else is new? 

I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.

It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.

All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.

Big conference web sites seem to be evolving into on-line magazines. RSA Conference and Infosecurity Europe publish news items and blog postings all year round. During last week;s RSA Conference Europe, Dawn Erska of SolutionSet was circulating with a Flip video camera filming opinions from speakers and attendees. You can view her montage of clips on the RSA Conference web site.   

Not a week goes by without a news item about yet another breach of personal data. The latest one is a compromise of data on the Guardian newspaper's jobs website. I think we all agree that there's a pressing need for a step change in the standards we apply to the protection of personal information. That's certainly what was agreed by a group of experienced practitioners at a recent ISSA UK debate. The findings from that debate were written up and published in a white paper, supported by former Home Secretary, The Right Honourable  David Blunkett MP. It's essential reading for anyone working on systems handling sensitive citizen information.

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.  

This year's RSA Conference Europe kicked off yesterday in London. There were the usual keynotes from RSA top management and the usual US style arrangements, including a photo identity check (arguably more of a threat to your personal data than a national security safeguard), a Darth Vader lookalike, and the inevitable 'brown bag' lunch. But, as usual, the whole show is brilliantly organised and runs like clockwork. 

Behind all this there where also some interesting security trends to be noted. This year there was more emphasis on fraud prevention, more focus on community solutions, and more discussion of cloud solutions.

Cloud solutions are especially interesting in the security space, as there is a clear added value from the global community perspective available to vendors. I was particularly impressed with RSA's e-fraud network, which neatly illustrates how to fight networked threats with networked defences. Now that's the real future of security.

Tomorrow sees the start of the year's RSA Conference Europe in London. As usual it's a largely vendor oriented event, with keynotes from sponsors, rather than thought leaders, and with a focus primarily on technology solutions rather than business problems. The marketing also has a strong US flavour, such as the rather strange draft letter to your boss to help justify your attendance (though if RSA is really serious about marketing to CIOs, they should start by beefing up the rather throwaway strapline of 'where the world talks security').

But beyond the sales pitches and the corny advertising there are some interesting sessions and exhibits worth attending. I shall certainly be spending some time checking out the latest products to see if they can actually solve current and emerging business problems. You never know what you might uncover. In some cases, the sheer proliferation of competing products can be a barrier to further progress in solving an industry wide problem. In other cases we simply don't have enough imagination. But what really counts is that user organisations devote some time interacting with vendors in order to bridge the yawning gap between business problems and technology solutions.

This year's theme is Edgar Allen Poe, an excellent choice as he was not only a cryptologist but a John Wiley author. And if you happen to drop by the Wiley stand on Wednesday afternoon, you'll find me signing books for anyone that takes up the cut price offer on my book 'Managing the Human Factor in Information Security'. Now that's surely a compelling reason to attend?

Just talk to any business owner, whether small, medium or large, and you'll quickly spot a golden opportunity for the security industry. This season's postal strike will generate a tipping point for many companies to finally ditch paper and move to the Internet.

In practice, however, it's far from easy to authenticate and secure electronic transfers of sensitive data over public networks. Tactical fixes rarely scale well. Hard-to-use security features fall into disuse. Legacy systems might not handle modern security protocols. Without careful planning and strict standards of security, we're likely to create a flood of new exposures to identity theft.

Now, more than ever, we need to raise our strategic game and design lasting security architectures that can safeguard information across a boundaryless, extended-enterprise environment. It's not easy or immediately achievable, but it has to be done if we are to build achieve an agile, compliant infrastructure that can support secure operations in a virtual business world.