Security Enigmas for CIOs
This article is a personal reflection from one our consultancy team, reflecting 25 years of experience as a CIO in industry and government.
Let's be honest: genuine information security is the Achilles Heel of most organisations. And CIOs are normally left holding the baby. The perversity is that the root causes of most information security incidents are not normally down to the technology; they are in the embedded behaviours of user communities. All CIOs have war stories of how well designed (at times, obsessively so) security regimes are undermined in simple ways by users normally motivated by a simple desire to get their job done with minimum hassle. My favourite real examples include:
- Soldiers in remote territories using mobile phones to exchange operational data as encrypted communication equipment is not available or cannot cope.
- Probation officers routinely using Hotmail to exchange sensitive offender data, as the remote security solution is unaffordable/unworkable.
- Cabinet Office memos urging compliance with government information security standards being UNCLASSIFIED to ensure a wide readership; issued in breach of the very guidelines they espouse.
- Widespread personal use of Dropbox to circumvent onerous and impractical corporate file storage requirements; this ensuring that the current data that really counts resides in the 'cloud'.
- An international professional membership body that locked all access to their database from 'foreign' staff, ensuring they maintained separate spreadsheets of local members with zero security.
- CEOs using SMS to communicate sensitive commercial information, bypassing all internal monitoring and archiving.
In many organisations the growing use of tablets and smartphones has already destroyed any pretence that key information is under control and retained within their technology boundaries.
In all this the audit and compliance community pursues the holy grail of perfect information security with increasing rigour, creating a tortuous regime of standards and methods - a whole industry - that are virtually impossible to maintain.
The common outcome of this is that some luckless senior manager -the CISO (Corporate Information Security Officer) or SIRO (Senior Information Risk Owner) - is set up for failure, given that he or she cannot possibly control the information beasts that are already out of control and breeding voraciously.
The normal response to this is to try and force these beasts back into cages; data ownership responsibilities, protective marking of documents, BYOD constraints and email disciplines, etc... all of which are routinely ignored by the busy staff that really count.
Perhaps I am being unduly cynical, and the answer lies in more cages and increasing penalties for abuse.
In some instances the penalties being given to significant breaches in handling of personal data, the recent £250K fine for Sony for loss of PlayStation accounts for example, may act as a wake-up call; though this is small beer relative to a company with a turnover exceeding £1Trillion!
The answer may be in better training and awareness; some companies have an annual information risk awareness questionnaire to help embed awareness of the issues.
Perhaps more advanced technology will plug some of the gaps, though experience shows that fool-proof security algorithms are routinely cracked or left open to simple human error. Blind faith in technology is the hackers delight!
I believe the answer may be to recognise reality and focus more resources on tracking potential abuse, using pattern recognition algorithms and other tools used by professional hackers.
In a recent assignment I was impressed by the work of a small security team that included a Certified Ethical Hacker. One fruitful approach was to create a comprehensive log of all network activity and then filter this huge data-set intelligently to identify anomalies. This approach mirrors the way in which credit card companies look for activity that deviates from normal usage patterns.
In another simple example the team analysed all mobile phone records and spotted the few with premium text costs (purely accidental of course); staff awareness that this was being tracked had an immediate impact.
The future of information security will be in the way the unique data DNA of any enterprise is registered and managed in the universal cloud, with alerts arising when significant mutations are identified; much in the way that a new virus may need a high level of focus to see if it is benign or malignant.