Industrial Strength Insecurity – Coffee & Pie

You can't make an omelette without breaking a few eggs, or in this case grating a few nerves. However, the 'King has no Clothes' approach has never really worked for me, or for that matter, as an instrument to cloak, what would seem to be a sprinkling of lacklustre strategies for defending against the modern day onslaught of CyberConflict.

Looking back to 2011, it is evident it was a bad year for security! But, here we are in the last week of January 2012, and I am finding that there are more incidents to count, than the digits and toes will allow – in fact, we seem to have entered the year of the UK Olympics with a bang, which ‘could’ be described as ‘Industrial Strength Insecurity’. 

Now I hate to say I told you so, but toward the end of last year, I was asked for my thoughts on what was to come, and sadly, I was pretty much on the money. However, this prompted a communication from an IT Director I once knew, who having read my predictions in the press, asked if the comments were just ‘wishful thinking’ – and that really did strike a chord. If this was how this particular ‘responsible’ incumbent assessed the current landscape of risk, then no wonder we are in such deep doo-doo.

But that said, help is close at hand, and as we enter the warm-up to InfoSecurity 2012, I am confident that a number of top shelf capable technologies will be on offer to secure the enterprise against cyber-attack, and compromise. I am equally confident that many such technologies will find themselves contracted to deliver cyber defence capabilities into a large number of procuring organisations. But it is here where I would wish to raise a cautionary hand, and ask that the ‘point-and-click’ application led approach to delivering such security technologies to defend the business are conjoined with a ‘Strategic Blueprint’, accommodating the imaginative security mind, for in my opinion, only then may one walk away with a modicum of assured confidence that, at that particular moment in time, best endeavours were applied.

We know that big players ranging from RSA to Sony, from Symantec, to the UK, and the US Government, have suffered incursions, data losses, and compromise, and we are only too aware what public consumption of humble-pie looks like, so its possibly time to change the recipe by augmenting a few more ingredients of security-strategy. Maybe the time has come when we should acknowledge that the current winners on the Black Hat-v-White Hat battleground are the former combatants. Maybe it’s time for us to hold our hands up and admit the good-guys are currently losing in the circus of CyberConflict. And maybe, just maybe, it is time for my past acquaintance of the IT Director to do more than sip at his morning coffee, but give it a bloody good sniff.

The absolute bottom line is the industry approach to engaging with CyberAdversity ‘must’ change. It is no longer enough to produce a thick policy, or ISO 27001 set of controls out of the Ivory Tower, and expect them to be enough. It is now about promoting a new breed of CISOs, and Information Security Professionals, investing time in a good dose of Situational Awareness, and getting down and dirty to fight-the-good-fight. However, as an alternative, one could always whip up a heavy security policy with which to bash the opponents over the head – but let us be honest here, thus far, that fluffy approach has not worked – has it!

Comment on this blog