With the emergence of yet another widespread vulnerability, I’ve been spending some time reflecting on the ever evolving threat landscape that has prevailed over my career. I’ve come to the realization and opinion that we, as a group of professionals, have gotten distracted and as a consequence have focused on symptomatic issues.
Essentially we have chosen to hike down a wilderness trail that constantly bring us into contact with all manner of dangers rather than a trail that seeks to avoid these dangers as much as possible.
I came across an interesting article at Forbes today entitled "Cyber Security and the Danger of Ostriches in the Boardroom". The article is aimed at course at business leaders and attempts to highlight reasons why they need to be fully engaged in the information security dialogue.
I of course whole heartedly agree with this but let’s be realistic here. We have been trying to bridge this divide for quite some time. We have been trying to portray ourselves as friends of the business however we’ve (for the most part) been less than successful in our endeavors.
It is a Journey
What is security? How can I be secure? How will I know my systems are secure? I was compliant with the regulations, how was I able to be hacked?
Over the years these questions have come up in one form or another. Now the conversations have been with different people and in different contexts. At first I was a bit dismayed that we are still struggling with the concept of security but the more I thought about it the more I welcomed the opportunity to address this topic.
About a year ago I had the opportunity to conduct some security assessments at a partner’s facility deep in the rain forests of Brazil. While I was there I was given a very unique opportunity and that was to not only take a cruise on the Amazon, but to actually swim in the confluence of the waters of the Rio Negro and the Solimoes where the Amazon officially begins.
Swimming in the confluence of two rivers is probably not the smartest thing to do - especially in the Amazon. Not only do you have unpredictable currents and eddies but you are likely to have predators lurking there to take advantage of the food sources coming out of each river.
Return on Investment. Words that typically bring dread to the heart of any information security professional. Some have even gone so far as to advocate that it is a useless term in our industry given the nature of the threat environment with which we constantly live. If you look back at my last post entitle “You get nothing! You lose! Good day, Sir!” you will see a conversation that revolves around on how CISOs are viewed as out of touch by their C-Level peers.