There's talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming to prevent them in the first place. Information Week is the latest to report on this "notable change in information security rhetoric". They report that "instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if".
It's a remarkable and damning admission.
I can see the problem: the threats are getting smarter and our security is not.
But how do you explain this to an executive board? And how would you expect
them to react? "Off with your head" would be a likely response. Given the amount of money spent on security policies, administrators,
technology, reviews and audits, executive boards would be entitled to assume
that their security professionals are on top of the problem.
The problem is that for years we've
been telling boards that security is fine, and it's even "enabling the business". That's a lie and it's time to come clean. The truth is that security
is difficult, expensive and full of holes. Passing a Sarbanes-Oxley audit is
easy. Keeping foreign intelligence services and organised crime out your
networks is not.
Where do we go from here? Do we now start
to admit to customers that their sensitive data is not secure though there's
a chance we might catch the culprits? Do we tell shareholders that we're
producing lots of valuable intellectual capital but it's likely that someone will
steal it at some point? I think not. This sort of talk is unacceptable.
We have to fix the problem. Security
managers should be sent back to the drawing board. It's not reasonable to have
hackers wandering around corporate networks and dipping into databases at
will. We have to prevent them getting
access to sensitive data and services.
Now that's not to say that we
shouldn't have measures to detect and respond to incidents. Such measures have
always been part of a defence-in-depth model that has been universally
practised for several decades. But what we need to do is change our approach to
preventative measures. If the corporate perimeter is getting weaker, then we
need to build security around the data and applications. If valuable or sensitive
data cannot be protected within the enterprise network, it should be removed.
The fact is that information security
as it's been practised for decades doesn't work in today's higher risk
environment. Security managers should stop congratulating themselves and cease reassuring
citizens, customers and investors that it's everything is fine and dandy.













Recent Comments