There have been so many security breaches, thefts, hacks and ransoms that we’ve become scarred and calloused. This is dangerous because it changes how we think about security, privacy, people, assets and the motives of others. We’ve become numbed. Diligence seems unrewarded.
In the olden days of computing, you could steal a floppy disk or make a copy of data and take it with you. You could take a picture of a terminal screen, then use OCR software or cheap labor to grab text-based assets, as well.
When local-area networks arrived, along with shared resources, the job of thievery became easier. We got smarter, but the initial wave of data protections was weak. We thought it was OK for users to be root and administrator. Even Microsoft started to understand the difference between kernel and user space in their Windows XP SP2 watershed event. By then, however, data thievery became a sport. Law enforcement remained focused on more tangible crime, a problem that remains today.
Alongside the success of the LAN came the internet, with email driving its success. Then came websites. Electronic Data Interchange, or EDI, was a new way to communicate forms-based information in exciting ways, transforming business logistics through barcodes, mag-stripes and more.
The trusting nature of these developments ignored a huge problem: the same thievery that’s been with us since the dawn of time. At each turn, Dickensian urchins have been lurking, waiting to profit from the sloth, lack of planning, or woeful ignorance of others. Tech advances are certainly not exempt, and each new advance respresents a potential new vulnerability.
We invented PDAs, then cell phones, then smartphones, then started to embed shrunken electronics into everything from automobiles to refrigerators to teapots. The superfluity of tech is now its own worst enemy.
How we turn this enemy into a friend is the big challenge.
Although this sounds ugly, organizations have to peel off the scabs and re-sensitize themselves, using past security failures to inform evolving strategy.
This can be accompished through several different forms of management. One is management-by-objective. It’s a time-honored method of setting goals and meeting them, and/or readjusting them on the way. Another is called management-by-putting-fires-out, which is a more reactive form of management that never seems to accomplish long-term goals (and instead just puts out short-term fires).
There is a middle ground between the two--one that’s reactive, yet seeks long-term results from reachable goals. It requires diligence and tenacity. Fighting on multiple fronts simultaneously is the hallmark of security success. It’s a response to the aphorism that states: Nothing is foolproof because fools are so ingenious.
Ten years ago, few organizations had an IT security team. Constant reminders of breaches and asset loss, not to mention compliance needs and regulatory oversight, have spawned a rich and diverse set of motives for IT--often working shoulder-to-shoulder with security forces.
The ability to instill trust requires tenacity and truth. Rebuilding that trust once it has been compromised is like repairing a broken bone. With some luck and a great deal of hard work, the broken bone heals and becomes stronger than ever before.