Security controls inevitably degrade over time as technology changes, criminals modernize their methods, and systems begin to suffer from natural entropy.
Last week I attended a seminar where the database system being designed to host the new national ID card data was discussed. Much emphasis was put around how modern and therefore secure the system was going to be from both an IT and physical security perspective. But it occured to me that by the time the system is fully operational the game will have changed and many of the security controls will likely be either out of date or new ways discovered to get around them. The point being that you can’t simply design your security systems, rubber stamp the work then move on to the next thing and forget all about it.
Frequent and mundane routines are the killer of good security. Well designed change control processes become an inconveniance to be bypassed, operational procedures to ensure that everybody entering the building has a valid pass or is escorted degrade when the security force begin to believe they can recognise normal behaviour without checking, network security fails when the daily audit of the logs becomes an occassional audit because in the last 6 months nothing interesting has happened and you now have better things to do.
It’s worth keeping in mind that it’s the gradual erosion of seemingly minor controls that will eventually lead to the major incident. Security must be continually reviewed in light of a continually changing environment.