Securing New Technology is Going to be OK. Just Not Today.
By Stephen Fried, IT Security Director, American Family Mutual Insurance Company, S.I.
My cell phone has a camera in it. That’s not a big deal today, but back in 2003 cell phone cameras were a cutting-edge technology and well-meaning security pros (myself included) warned that this would allow attackers to steal all your data, violate your privacy rights, and cause the downfall of our companies. Ah, the good old days, when camera phones were our biggest problem. Many of the predicted hazards of camera phones came true; sensitive information was photographed and privacy was violated. But we also used some basic security controls such as prohibiting phones in certain areas or severely restricting their use to limit the potential damage. These crude but effective controls allowed us to manage the short-term risk until we learned how to control the technology better.
Flash forward to 2014. At that time you couldn’t find a security professional worth their certification that would have recommended moving your data to the cloud. We were terrified of the prospect of trusting data to what we said was “just someone else’s computer.” Over time we overcame the fright, studied it, made mistakes, learned some more, made some more mistakes, and kept trying. We finally learned how to secure things in a well-designed and well-managed cloud environment. It didn’t happen all at once, a lot went wrong along the way, and although we still haven’t mastered it, we’re getting much better. It’s a cycle we’ve been repeating since the earliest days of computing (and computing security), and it’s a cycle we’ll keep repeating for the foreseeable future.
So, what are today’s challenges that well-meaning security pros are warning about? AI, Machine Learning, IoT, and Blockchain all promise (according to vendors and consultants) untold riches and unlimited market domination for the right companies willing to take the plunge and invest heavily in their development. All of them are also frightening security people to death.
"Protect what you can, monitor what you can’t, and be ready to respond quickly when things go wrong because they will go wrong"
Why? Because like camera phones, the cloud, and everything that came in between, we don’t quite fully understand them. They represent dramatic change and, frankly, we security people don’t handle change very well. Add to that the generally sorry state of security technology, infrastructure, and software and our comfort level decreases even more. Deep down we know that for all the business’ good intentions, market promise, and well-funded research and development in these technologies, one thing is inevitable:We’re going to get it wrong! Very, very wrong. That’s bad for business, and it’s bad for our customers.
As we race to market with new AI, Blockchain, and IoT solutions there is no way to guarantee we will get it right (even if we can define what “right” is at this early stage). As a result, data will leak, secure configurations will fail, “expert” knowledge will be lacking, technology designed to stop and catch threats won’t, and attacks will succeed. Not on some grand scale that will see the complete collapse of the world’s cloud or Blockchain environments, but on a thousand little micro-scales, where individual organizations get tripped up on the learning curve of these technologies and expose themselves to the badness that awaits. Nobody wants to be tomorrow’s security breach headline, but unfortunately, somebody will end up there anyway. It’s the sad reality of this stage of learning infancy: we need to get it wrong first because that’s the only way we’ll learn what “right” looks like. However, as we struggle amidst our lack of knowledge and the general mediocracy of our security technology, we can be comforted by one bright thought:
It’s going to be OK.
Not immediately, but eventually, and we’ll get there by understanding our current limitations and working to minimize them while the knowledge and experience we desperately need catches up. We do this by remembering the foundational security principles that have served us well for decades. These are principles like limited and authorized access, least privilege, and limiting the storage and transmission of data. We all learned about these principles on day one of CISSP class, yet they seem to get perpetually lost in the face of shiny new security technology and promises like “containers will solve your security problems” and “trust the math.” I do trust the math. I just don’t trust the people implementing the math.
So, protect what you can, monitor what you can’t, and be ready to respond quickly when things go wrong because they will go wrong. When your business leaders say they want to move fast and furiously into new and exciting technologies, check your horror at the door. Companies rarely make go/no-go decisions based on the cyber risk attributes of a new idea, but how well they succeed or fail may very well rest on your ability to manage those risks effectively. Without your expertise in security and risk management they will most certainly get it wrong, so you might as well be part of helping to get it right.