Thanks to the Target breach, information security is as front and center as ever. That's great for those of us working in IT and information security. Obviously, it's not a good sign for businesses.
As most things tend to happen, the type will die down, people will get back to their daily grind and once again, at some point in the near future we'll hear about the next “big one”. Maybe it'll be another major corporation, perhaps a federal government agency, or (let's hope not) your own organization. Surely not, though. These things only happen to other people.
You cannot let history repeat itself – at least not on your watch.
So, what are you going to do? Are you going to fall back into your groove like we tend to do in most other aspects of life (i.e. driving our cars, our fitness, and homeland security)? In my work I often witness the fact that complexity is the enemy of security. Ditto for complacency. Fool you once, shame on the criminal hacker or rogue employee. Fool you twice, then shame on whoever let their guard down.
I believe part of our problem is how we (me, you, executive management, whoever) think about information security. We have a sense of expediency and comfort knowing that a supposed solution is mere minutes away. It's not all that different from healthcare and medicine. Doctor David Perlmutter, author of the new book, Grain Brain (a great book for many of us sedentary IT workers, by the way!) said in a recent radio interview: “Do whatever you want, live however you want…there's a pill for that.”
After I heard that, it hit me. That's just like information security! For example:
- There's PCI DSS.
- There's DLP, identity and access management, and next-generation IPS.
- There's an IT security policy that a former employee wrote and stuck in a binder somewhere that no one knows – or cares – about.
- There's this amazing new thing called “cybersecurity” that has all the answers!
So, when you have security problems, the fix to your woes is only a purchase order or new regulation away.
If it were only as simple as many people make it sound.
I'm going to venture and say something that I know many people will shrug off because it's too simple: why not just do what's right to begin with? We have tons of proven information security standards and practices – many of which go back over four decades in time – yet we keep ignoring what's known to work.
We keep striving to find something more – something beyond – the low-hanging fruit that keeps biting oh so many businesses. Surely, it's more complicated than merely fixing the basics. Maybe so, maybe not – I'll let reality speak for itself.