You
know one of the interesting things I've noticed, and it's not really
specific to security, is that the more interconnected the world
becomes, the harder it is to find the root cause when something goes
wrong. If we look at the
financial/mortgage crisis for example, if you wanted to point the
finger at one person or event, could you do it? I've wanted to for a long time, tracing this chain back to some single point of failure, but it's really not possible. When
something like this happens, where there isn't one root cause,
accountability becomes a big mess because everyone can push the problem
onto someone else. The problem is that if everyone pushes around problems, problems never get solved. So,
the way that we need to look at it is that instead of there being
limited accountability, there needs to be a lot of accountability.
This type of complex interconnected failure isn't so different from what we see in the news around data breaches. People
want security to be simpler and they want to find that single point of
failure, and sometimes it's there, but often times, it's really not. Our
technology world has grown to become a complex systems of systems where
legacy systems are communicating with new systems, the notion of a
perimeter is dissolving, new consumption and delivery models are
popping up all the time and we have to secure all of this.
Let's face it, the majority of attacks today don’t operate in little silos. They can cross users and endpoints, applications, networks, databases, etc. So
despite the fact that you might have different teams responsible for
all of these areas of your system, and you might see them as separate,
attackers see this as one, connected system. As
a result, when breaches happen, often times it is often a combination
of insufficient security controls, problematic policy and even things
like a lack of user education. When we live in a world of complex and
networked technologies, the notion of a single point of failure is
disappearing.
So what do we do about this? Obviously a layered defense is imperative. You
need to think about your data, how it moves, where it rests, how it
gets accessed, which data is most important and how you can apply
security controls all along the way. Moving
away from just the technology, one of the other things that people talk
about is accounting for the human element in security. When
people are talking about this they are generally referring to the fact
that users will click on just about anything, so security has to
acknowledge that users are going to constantly put their organizations
at risk. But there's another side
of that human element that I think is important, and that is
establishing a culture in your organization that security needs to be
top of mind, and that everyone is responsible. Whether
you are a developer, a DBA, an executive who might be targeted or an IT
manager, security is something you need to consider. Yes,
new technologies will help, but changing culture and process, while
never easy, is almost always an essential element of dealing with
systemic issues, whether they be financial markets or security concerns.
The
last bit worth acknowledging is the dangers of ignoring something that
appears broken, but ignoring it because it hasn’t actually broken yet. So
in this case we’re talking about warning signs around the economy but
the market still going up, and IT decision makers saying, "well we
haven’t been breached, so we must be secure," regardless of their
actual security posture.
Despite
what we would all like, these aren’t issues you can just sweep under
the rug and cross your fingers hoping that a problem won’t pop up. Organizations need to confront these issues.