There’s talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming to prevent them in the first place. Information Week is the latest to report on this “notable change in information security rhetoric”. They report that “instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if”.
It’s a remarkable and damning admission. I can see the problem: the threats are getting smarter and our security is not. But how do you explain this to an executive board? And how would you expect them to react? “Off with your head” would be a likely response. Given the amount of money spent on security policies, administrators, technology, reviews and audits, executive boards would be entitled to assume that their security professionals are on top of the problem.
The problem is that for years we’ve been telling boards that security is fine, and it’s even “enabling the business”. That’s a lie and it’s time to come clean. The truth is that security is difficult, expensive and full of holes. Passing a Sarbanes-Oxley audit is easy. Keeping foreign intelligence services and organised crime out your networks is not.
Where do we go from here? Do we now start to admit to customers that their sensitive data is not secure though there’s a chance we might catch the culprits? Do we tell shareholders that we’re producing lots of valuable intellectual capital but it’s likely that someone will steal it at some point? I think not. This sort of talk is unacceptable.
We have to fix the problem. Security managers should be sent back to the drawing board. It’s not reasonable to have hackers wandering around corporate networks and dipping into databases at will. We have to prevent them getting access to sensitive data and services.
Now that’s not to say that we shouldn’t have measures to detect and respond to incidents. Such measures have always been part of a defence-in-depth model that has been universally practised for several decades. But what we need to do is change our approach to preventative measures. If the corporate perimeter is getting weaker, then we need to build security around the data and applications. If valuable or sensitive data cannot be protected within the enterprise network, it should be removed.
The fact is that information security as it’s been practised for decades doesn’t work in today’s higher risk environment. Security managers should stop congratulating themselves and cease reassuring citizens, customers and investors that it’s everything is fine and dandy.