Time to come clean about the state of our security

There’s talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming to prevent them in the first place. Information Week is the latest to report on this “notable change in information security rhetoric”. They report that “instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if”.

It’s a remarkable and damning admission. I can see the problem: the threats are getting smarter and our security is not. But how do you explain this to an executive board? And how would you expect them to react?  “Off with your head” would be a likely response. Given the amount of money spent on security policies, administrators, technology, reviews and audits, executive boards would be entitled to assume that their security professionals are on top of the problem.

The problem is that for years we’ve been telling boards that security is fine, and it’s even “enabling the business”. That’s a lie and it’s time to come clean. The truth is that security is difficult, expensive and full of holes. Passing a Sarbanes-Oxley audit is easy. Keeping foreign intelligence services and organised crime out your networks is not.  

Where do we go from here? Do we now start to admit to customers that their sensitive data is not secure though there’s a chance we might catch the culprits? Do we tell shareholders that we’re producing lots of valuable intellectual capital but it’s likely that someone will steal it at some point? I think not. This sort of talk is unacceptable.

We have to fix the problem. Security managers should be sent back to the drawing board. It’s not reasonable to have hackers wandering around corporate networks and dipping into databases at will.  We have to prevent them getting access to sensitive data and services.

Now that’s not to say that we shouldn’t have measures to detect and respond to incidents. Such measures have always been part of a defence-in-depth model that has been universally practised for several decades. But what we need to do is change our approach to preventative measures. If the corporate perimeter is getting weaker, then we need to build security around the data and applications. If valuable or sensitive data cannot be protected within the enterprise network, it should be removed.

The fact is that information security as it’s been practised for decades doesn’t work in today’s higher risk environment. Security managers should stop congratulating themselves and cease reassuring citizens, customers and investors that it’s everything is fine and dandy. 

Enhanced by Zemanta

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

A key question is to ask if your security is keeping up with "HD Moore's Law": "Casual Attacker power grows at the rate of Metasploit" (thanks due to Joshua Corman). If you only test to the level specified by your Sarbanes-Oxley auditor, you are trusting to luck that the gap won't be spotted.
Cancel
Proper implementation of ISO 27001 would do a lot to reduce the likelyhood of compromise.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close