A few questions have come in from some readers.  Since some of them are similar I felt that it would be best to answer them here. 

Can anyone really defend themselves against hackers or dishonest insiders? For example, if data leakage is invisible (because there may be no evidence left behind that information has been copied without authorization), how can one possibly defend against it?

Welcome to the Information Age!  Knowledge is power; he who has the knowledge has the power.  Intellectual Assets have become more valuable than physical assets.  The simple text file that contains the formula for a prescription drug could be worth tens of millions.  Individuals, companies, and governments are impacted when their information gets into the wrong hands. 

Information Warfare involves everything from personal identity theft to corporate espionage to offensive attacks against government assets.  The control of information is critical to the new Information Age.  Is it worth the risk interacting with this digital age?  We hear daily about vulnerabilities discovered in the operating systems that we use for work and play.  The applications we trust to hold our data, to view the world with our digital eyes, to pay our bills are fraught with bugs and backdoors.  Our Inboxes are filled with e-mail trying to entice us to provide our personal information.  Malware abounds throughout our interactions.  All around us are threats to our personal information.  With this focus on information, is it truly possible to defend against information warfare attacks when the attacks are just as varied as information warfare itself?

Life is about risk.  We all take risks when we get up in the morning and start our day.  We take risks as we drive our cars.  Our lives involve a mixture of risk avoidance and risk acceptance.  Defending our information against information warfare attacks is also an exercise in risk. 

Can we avoid all information warfare attacks?  No.  Information Systems are too embedded in our lives.  Even were we to hide all our money under our mattresses and never leave the house, the energy we use, the water we drink, the government that provides us services are all provided in some way using information systems.  We cannot avoid all risks therefore, we must decide which risks we can accept and which risks we try to avoid.  We can take efforts to insist that the companies we deal with conduct business securely.  We can petition our government to enforce common sense measures to protect its information systems.  We can ensure that we use good judgment when surfing the Internet. 

It all comes down to levels of acceptable risk.  We need to determine how we go about our lives and conduct business in a way that reduces the level of risk to our information and information systems.  What we cannot reduce or eliminate we must accept.  Much like the Age of Exploration, the Information Age is fraught with pitfalls and unknowns.  The mariners of old stocked their ships with the materials they might need should the unexpected come up.  They did what they could to minimize the impact of unforeseen circumstances and continued onward.  We should take a lesson from them and continue onward.

Recently I was having a conversation with a good friend of mine.  He is the Chief Security Architect for a datacenter.   He was sharing with me how frustrated he has become with how his projects have been prioritized within his organization.   He took this position after working as a consultant for 25 years so he is under no illusion about how security is treated within most organizations.   All the same it is nice to vent to friends and colleagues about how “management” just doesn’t get it. 

Things are getting better though.  Several recent surveys that I’ve read point to an increase in prioritization on information security issues and point to regulatory compliance as the key driver.  (The two that pop immediately to mind are the 2007 Global Information Security Survey conducted by Ernest & Young and the 2007 Privacy and Data Protection Survey conducted by Deloitte.) 

I suppose that we should be grateful for this increase in visibility but I can’t help but feel a bit cheated.  If this increase is really due to greater regulatory scrutiny then what that means is that the private sector is being forced to implement security controls because it has failed to do so prior to now.   We live in a world where data breaches are a daily occurrence and companies are making millions helping us “protect our identity.”  (Look for an upcoming blog post on that topic)

Why?

As many of us can attest, we have been warning management for years about security issues.  They either don’t listen or prioritize our initiatives so far down the project list that it is difficult to be anything but reactive   We can complain that they just don’t get it but honestly, it isn’t their job to get it.

Now before many of you blow your top on that last statement hear me out.  Management doesn’t get it because it isn’t their job to understand information security.  That is what they hired us for.  Our job is to understand the ramifications and then translate these ramifications into a language that management understands. 

Now I’ve been a consultant for over 10 years and as I’m sure many of you can attest, it is often much easier to say that we need to translate information security into a language that management understands than to actually do it.  Every organization is different.  Different personalities, different priorities, different agendas, etc.    What really drives an organization may be different than what the organization publically admits.   I’ve had some extraordinary successes as well as some extraordinary failures (all of them wonderful learning experiences).  It often takes time and some careful observation to zero in on what is important. 

In the coming weeks I’ll be posting a white paper on some of the research that has been done on how people view their world (both individually as well as being a member of a group).  This is based on some work that I started while studying for my Masters program.  It offers some interesting insights and I look forward to hearing your comments on the subject.

The end of the story is that while my friend was relaying his general frustration in how his projects were being prioritized in general, he was doing so in light of a success that he had in elevating one of those projects to a much higher priority. 

Until next time,

Graydon