My blog postings have been very thin lately. This was due to my annual Scottish fly-fishing holiday (the highest priority in my calendar) followed by the Queen’s Diamond Jubilee and a mass of catch up work. It’s take me weeks to get up to date.
But breaks like this are highly welcome, not only because of the freedom, relaxation and social networking, but also because they grant you a rare chance to detach yourself from the madness and (let’s face it) incompetence of everyday business, and to reflect objectively on life.
In a large enterprise this madness is largely invisible to most employees, masked by a surrounding mist of illusion, otherwise known as organisation culture. Such a phenomenon is impossible to ignore and even harder to influence. Smaller companies can be less prone to it, but any large community tends to adopt an instinctive behaviour that springs from no obvious source, and generally defies logical analysis.
We see it with banks that carry on gambling as usual. With process industries that refuse to acknowledge that Die hard 4 was perhaps an understatement. And with governments who think the answer to all ills is simply more regulation. But most worryingly we see this madness with security managers at all levels who think that the answer to a wave of advanced persistent threats is to form a committee, conduct a risk assessment, publish a policy or carry out a review.
Yet in the past few months we’ve seen some amazing revelations on the threat front, from “hacktivists”, government spies and organised crime. There is no longer any margin for error. The Internet is a dangerous environment for everyone. If you don’t get your security absolutely right, you will be hacked sooner or later (and increasingly sooner).
It’s quite clear that national intelligence services have for years been exploiting the extraordinary degree of vulnerability found in every enterprise. Recent claims, for example, that the US Government has been sponsoring cyber attacks at the highest levels for the best part of a decade should come as no surprise to any security professional. Many other states are likely to be following their lead. Yet little seems to be being done to safeguard our increasingly vulnerable critical national infrastructure from sophisticated attacks.
Let’s face it all enterprises today have leaky perimeters, insecure platforms, ineffective access rights management, and error prone users. Yet we are painfully slow in recognising and addressing these weaknesses. Instead we publish reams of unreadable policy, allow business expediency to override critical vulnerabilities, and conduct lacklustre awareness campaigns.
One reason for this state of affairs is that the threat is largely invisible, which means it’s easy to ignore. Espionage and fraud are covert activities by nature, and their consequences are largely outside of a typical manger’s everyday experience. That doesn’t mean it doesn’t happen and doesn’t cause damage. Take it from me: every research centre, procurement process, customer database, and call centre is a target, and many will have been compromised. We just don’t open our eyes to the reality or the consequences.
Another reason is the inevitable fact that remedial action costs real money and time, so no one wants to go down that route. Given a choice, business managers will always accept a risk rather than spend money or invoke delays. Security is not just a hard sell; it’s a career limiting investment. But in the absence of any real enthusiasm from business managers, security will remain little more than a tick-box requirement.
It doesn’t have to be like that. The world of in industrial safety, for example, was in a similar state back in the 1980s. Today, to an outsider, safety in the process industries comes across as an ingrained religion. You can’t walk upstairs without someone telling you to hold the handrail. You can’t trail a mains lead across the floor without someone shouting “safety hazard”. How did this happen? Quite simply, it was through a professional, sustained campaign sold to and driven by senior management.
Why does this not happen for security? The answer is because few people in security have learned from the safety example and, more importantly, because nobody in security is telling the truth to their executive boards. The security community has an unfortunate habit of telling the directors that everything is fine and dandy when it’s not.
A further factor might be that enterprises tend to look to banks rather than process industries for best practices in security. And another is the hard truth that few CISOs actually possess the skills and imagination to promote a change of direction to the Board.
In the meantime we continue to observe security communities and institutes congratulating themselves on their effectiveness in promoting professional development schemes, standards and other bureaucratic treacle. Yet the truth is that all we are really doing is building and reinforcing a dangerous monoculture built on discredited practices and ancient rites.