IT still struggles with making a system or application usable, and making it secure. IT teams generally have a mandate based on Availability. InfoSec teams have a polar objective; keep the information Confidential and maintain its Integrity. Those three words are capitalized because they are the classic pillars of Information Security. C-I-A
I have spent more than three decades in Information Technology and one third of that time focused on Information Security. My background originates with PC technician and circuit repair work, and I have progressed through the ranks of Inside Sales, Helpdesk, Technical Support, Desktop Technician, Network Engineer, Infrastructure Engineer, Supervisor, IT Manager, Consultant, Security Incident Response Manager, to Information Security Manager and filling CISO roles, consulting widely on IT and Security projects.
Despite IT’s need to do things fast and keep systems running and InfoSec’s need to do things right and ensure data remains protected, in my opinion, we need standards, guidance and rules on the Internet and in business that are equivalent to the rules of the road. We didn’t create networks of roads to eliminate traffic accidents. We built them to enable faster travel. We added stop lights to regulate the flow and increase safety. Some accidents on these roadways were going to be inevitable. We built protective devices and safety features to keep the cars on the road and to protect the occupants. We restricted how fast and in which directions one could travel with signage. We mandated certain equipment as simply required. We demanded that each person using the roads be adequately trained and licensed before gaining that privileged access. We put forth laws and regulations that every user must follow, and provided the police with the powers to enforce those laws.
Technology moves so fast that we’re adopting and adapting it faster than we can imagine the consequences. Every single Internet consumer and business user should have to pass a basic online aptitude test. They should understand that their communications traverse multiple networks, and that each of these networks may or may not be trustworthy, and will have varying policies regarding information privacy and access. They should know that there are inherent risks in using the Internet, and that not all information or personas can be trusted. It should be made clear what phishing is, what social engineering is, why credit card and personal information should be kept confidential, what the heck malware is and how it can be avoided. Imagine if everyone on the Internet understood what a password really was, how it should be created and protected, and what the consequences are if compromised? What if we all understood those 53 page privacy agreements that nobody reads, but everyone accepts on new services?
In my time within IT, I cannot count the number of times I have heard the Project Manager or worse, the Executive Sponsor extort “Just get that system up and running. We will add security on to it later.” Security as an afterthought is at best doomed to fail and usually just forgotten. It doesn’t make it onto the Project plan, and is trumped by convenience. Convenience of the implementor, the developer, the consumer and the business need to generate revenue. My grandfather once gave me a lecture regarding my money. He had a bread bag in one hand, and dropped nickels into the bag with the other. He gathered a large number of coins in the bag and made me count them as he dropped them in. He then emptied the bag and poked quarter sized holes in it. He told me that the only person that would get rich with a bag like that was the guy that followed behind him and picked up the lost money. That is the state of online security and e-commerce today.
Industry surveys commonly attribute major data breaches to ‘insider threats’ but carelessness, misunderstanding, or unreasonable policies may also be valid reasons why these things occur so often. Just my 2¢. Collect the whole bag!