Making informed and balanced decisions about information security technology is hard. Period. Security spending can ratchet upwards, with every incident or published data breach driving further investments that can wind up being irrelevant or even counterproductive. It’s not unknown, for example, for the PDF pages of a company’s published catalogs to wind up under the same administrative umbrella—with its attendant costs—as sensitive financial records. Following a path of “better safe than sorry,” the accumulating layers and entanglements can result in lower productivity, impaired customer experience, and hidden costs that won't explicitly appear in any statement of profit and loss.
Further, when measured by conventional criteria, security can readily become a demonstration of Goodhart’s Law: when a quantity becomes a target, it ceases to be useful as a measure, because incentives to achieve the target displace or eclipse the original goal. Have password complexity and change frequency requirements been successfully enforced? Perhaps. But has actual security improved? Or have irritated users taken to writing their passwords on sticky notes that are in plain sight at their desks? Have inconvenienced customers taken their business elsewhere, leading to lost revenue costs that outweigh the likely consequences of less burdensome policies?
The conversation about information security may perhaps lead in more useful directions if it begins, not with the information assets to be protected, but with the customer experience and the enabling employee experience that are to be assured.
Customer Experience Over Security Product
A more comprehensive, more personalized customer experience almost unavoidably implies more parties holding more data and exchanging it via more diverse channels. The security challenges grow apace. The entire purpose is defeated, though, if resulting burdens of security fall upon end users, who want a “feels like magic” experience – and as movie-goers were warned in “Doctor Strange,” would-be magicians do well to remember that “the warnings come after the spells.”
Technologies like high-speed wireless connection, affordable storage, and energy-efficient computation allow us to perform acts that seem like magic – but they come with warnings that must be considered, including increasing complexity and sensitivity of data sets, and rising levels of scrutiny under regulations such as GDPR and CCPA.
Analytical approaches including the National Security Agency's Infosec Assessment Methodology can serve us well, offering insightful questions such as:
- What is the organization’s mission?
- What information supports this mission?
- Who holds that information?
- Who can see it?
- What events and actions can change it?
- When is that important?
These are better questions than the asset- and mechanism-focused questions that organizations tend to focus on.
Three Pillars of Preparation
To create a future-ready, experience-protecting security posture, there are three principles that must be respected.1. Security must be built in.
Systems must be constructed securely from the outset, increasingly in contexts of cloud platforms that embed security in their service. This ensures that possible difficulties of adding security after the fact will not create incentives to take dangerous shortcuts, typically in pursuit of better response time or less costly deployment.2. Threat monitoring and remediation need to be enforced.
There must be ongoing observation and rapid detection of unusual behavior at the data access and flow level, with the ability to stanch the bleeding quickly before characterizing and correcting the vulnerability. In a world where attackers are probing newly discovered flaws within 15 minutes of disclosure, the speed of blocking data loss or damage is a far more important criterion than a list of formally identified vulnerabilities that have been corrected, or a list of software patches that have been tested and applied.3. Those responsible for information security must almost literally live in the future.
As noted in a memorandum from the U.S. Office of Management and Budget on Nov. 18, “The threat posed by the prospect of a cryptanalytically relevant quantum computer (CRQC) requires that agencies prepare now to implement post-quantum cryptography… Agencies must remain cognizant that encrypted data can be recorded now and later decrypted by operators of a future CRQC.” It is not enough to defend against the attacks of today; there must also be anticipation and proactive defense against foreseeable modes of attack that have yet to appear in the wild.
It's important to note that none of these principles is merely a protection to be purchased or a rule to be declared. These are all combinations of both an architecture in which a behavior is feasible, and a discipline of instituting and maintaining that behavior. Anything less will quickly prove to be insufficiently advanced.
Interested in learning more? Click here to see the live webinar. Also, don't forget to register for our upcoming webinar on "The Role of New Age Business 'Creators' in the Novel Economy" with Salesforce's Brian Solis.