Time to change security – “no time for more of the same.”
I haven’t scribbled a blog for a while. Rather than bombard the web with yet more content and conjecture to add to the mass already present, I need a “discussion catalyst” to compel me to write. And it arrived on the front page of the Times newspaper today proclaiming “500m users hit by the biggest hack in history” (due to recently released findings from a 2014 attack).
I mentioned in previous blogs and commentary that those no longer sensationalist, but instead factual headlines may sadly continue with each one correctly announcing a breach bigger than the last. It’s time to rethink information security because the rules of the game have fundamentally changed. As an IT industry with extremely competent security professionals the time has come for hard conversations, which discuss difficult problems that drive and deliver far reaching change. The legacy approach to design, implement and support information security platforms should not be fully jettisoned overnight but a failure to understand the efficacy of the whole solution to deliver “known, measured and maintained (or enhanced)” levels of security can no longer be accepted as valid or sound behaviour (I apologise if this is overly hard hitting).
There are numerous highly viable reasons why a multi-vendor security infrastructure and security software environment can deliver secure business / IT workload outcomes. But any environment with siloed platforms that do not inform or update each other via vendor proprietary, industry standard data exchange layers or leverage other platforms that correlate and represent actionable information may be as useful as no security layer at all. I am not advocating a single vendor security environment (although it can unlock a number of notable advantages) but I am leaning to a “greatly reduced” vendor environment as the complex web of devices pervasive across many enterprise IT estates, delivers a false sense of security can be the perfect landing zone for an attacker.
Add to that, the importance and non-negotiable educational requirement to formally enhance the knowledge of IT system and application users of the “responsibility and accountability” they personally hold to protect the digital assets they interact with daily. Almost without exception the major hacks and attacks originate from an inadvertently compromised user (tricked or bribed) with the end result a valid way in for an attacker to undertake the reconnaissance necessary to undertake the main attack. It’s time for all IT users to change their level of understanding and intimacy with IT security outcomes with the result a major step towards helping the wider enterprise security programme to operate effectively.
The Times newspaper headline displayed the passport picture and details of Michelle Obama – as we continue to discuss the growing importance of digital identity with a passport one indelible example of an identity deemed more important than most, a system attack that successfully obtained the personal details of one of the most highly protected individuals in the world highlights that no one is safe and everyone is a potential target.
IT security 2020 is required today and required now. It starts with an understanding of current IT and digital assets, gap analysis of posture aligned with compliance, platforms and systems that interact together, user education and greatly increased end to end visibility of the whole estate. I could go on as the steps required are many fold, but they are not steps we don’t already know or shouldn’t be undertaking today. No change is unacceptable, more of the same is unacceptable. Sadly we can be sure that the next big breach will be bigger than the last but ideally no one wants to the star of the headline.
Time for security change – change is now
Until next time