Security Armchair Quarterbacks: Go Away - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // CIO Insights & Innovation
11:40 AM
Connect Directly

Security Armchair Quarterbacks: Go Away

Cyber criminals will never go away. Instead of looking for a silver bullet, be proactive, interactive, and focus on reducing risk.

I'm getting tired of the barrage of emails from security vendors saying that unless we implement some specific solution, "Target-like data breaches will continue into 2015." The implication is that only a cretin would fail to implement the pitched solution. I'm tempted to write back: "Would you be willing to indemnify my organization against data breach losses if we implement your solution?"

How did we get here?

It's way too simplistic to argue that IT is broken and it didn't used to be. The curmudgeons among us point back to the IBM, Burroughs, Sperry, and Control Data mainframes of old and revel in stories of near 100% uptime and near 0% security breaches. I was a young punk during the mainframe times, and here is what I know: They were (mostly) islands of computing. The people who had the knowledge or physical access to break into those systems were few and far between.

[Limiting data encryption to government use won't prevent bad things from happening. Read Why Outlawing Encryption is Wrong.]

Even during the heyday of modem access -- bulletin board systems, FidoNet, Tymnet, UUNET, and the like -- the art of war-dialing, whereby hackers identified computer targets by having a modem try one phone number after another, was hit and miss. And because it took up to a minute to initiate a call and seek a carrier tone, if you hit 60 phone numbers an hour, you were lucky.

As technology became more widespread, bored 13-year-olds with modems started virtual doorknob-rattling. A national conversation emerged: Were they pranksters ("Shall we play a game?") or were they criminals?

As computers and networking grew ubiquitous, moving from a techie village into the big city, bona fide cyber criminals, seizing on modern methods of breaking, entering, and theft, became far more of a problem than goofy teenagers. Science fiction author Larry Niven predicted that the invention of teleportation would cause a huge spike in crime, because criminals could prey on a much larger pool of victims from afar. The global Internet proves Niven right in the abstract, as anyone can now attempt to steal electronically from anyone, anywhere in the world.

Criminals can now rattle virtual doorknobs not once or twice a minute with their 300-baud modems, but dozens of times per second with TCP/IP packets. The use of automation means that all connected machines are at risk.

Meanwhile, as tech moved into the big city, all the popular kids started using it. It has become embedded into our economy. An FBI agent quipped to me over a decade ago that the best bank robbers used a keyboard, not a gun. He was right then, and he has become even more right now.

Even people you might expect to shy away from high tech (your aging parents, probably) are now embedded in the digital economy via mobile banking and all manner of e-commerce, all of which link to their bank accounts and credit cards.

Now add all of that to the technology treadmill, whereby today's gold standard device or app or cloud service is tomorrow's belly laugh, and it's easy to see an additional risk factor. If physical building materials and security methods changed as fast as virtual ones, the problem would be starkly apparent to everyone. Just wait for Google to invent teleportation and to put it into perpetual beta development, and you'll see.

First-responder perspective
This picture may look gloomy, but there's hope -- and a lot of hard work ahead.

Let me share my perspective as a fly on the wall of emergency operations centers and law enforcement for the last several decades. We can never eliminate the "bad guy" or natural disasters or health emergencies. We can only reduce them.

Police, fire, and emergency medical pros believe in risk minimization, not elimination. And they understand that incident prevention is much cheaper than emergency intervention, even if they still must plan to respond to emergencies. How can we apply this approach to IT security?

First, reduce suckerdom. If there's indeed a sucker born every minute, it's incumbent upon IT emergency responders to spend time and resources teaching those suckers to, well... suck less.

Don't bore people with death-by-PowerPoint and a soliloquy. Conduct interactive training sessions. Keep those training sessions as short as an Ignite talk, and emphasize discussion. Use a learning management system for self-paced instruction.

Appeal to self-interest by helping people secure their home computers. Have regular conversations. Make sure that employees view IT security drills as a partner activity, and possibly even as (gasp) fun, not as "gotcha" traps.

Second, start having risk management conversations with business partners at all stages of product lifecycle, from idea to decommissioning. Make it clear to other business leaders that IT can and will react, and can and will take precautions, but that security at its best is much more than the reactionary part.

It will have been a productive conversation when business leaders, not just IT pros, freak out when data isn't encrypted and plaintext passwords are stored in a network folder labeled "password." It will have been a productive conversation when business leaders wonder whether the security risk of ramping up the beta technology treadmill is justified by the potential benefits.

We need to have these conversations with line employees, and then we need to listen. We need to be sensitive when we're causing complexity for employees. Any emergency responder would explain to you that complexity causes bad outcomes. That's why 911 isn't 828-524-0911.

For example, it's typical for employees to complain about password changes being forced too frequently. It's a complaint about complexity. We ignore these complaints, because our auditor says so, and she says so because her checklist that was developed in 2006 says so. Except ignoring employees makes them roll their eyes, disengage, and be less likely to follow our (other) security advice, with security consequences. Maybe we should stand up to our auditors and explain that with 12-character passwords consisting of uppercase and lowercase letters, numbers, and symbols, we might not need to change them every 60 days, that we're causing needless complexity, which actually could increase risk.

Most breaches are traceable to a lack of security fundamentals among employees or IT pros. I believe that we can and will improve security fundamentals as our industry matures into its late adolescence.

I don't have all the answers, but I'm not backing down on this point: Don't believe in silver bullets. We're in this age of breaches for many complex reasons. A quick fix probably isn't a fix, and buying into one wastes time and money better spent elsewhere.

I'm not saying that new security products aren't useful. They may be. But it's a grave error to give into armchair-quarterback-inspired panic to focus on new toys instead of security fundamentals.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
12/9/2014 | 12:44:11 PM
Breaches often reflect a lack of fundamentals
Excellent discussion about where organizations need to begin to get to better security. "Most breaches are traceable to a lack of security fundamentals among employees or IT pros." Well said. The explanation, after it happens, will more likely be simple than complex. It was a sophisticated breach at Target, but still fairly simple. 
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll