The actual origination of the above phrase (worth reading in full) is Ecclesiastes 1:9, the Old Testament. With respect to whatever religion you worship, the point is simply to highlight the naivety in assuming something to be new or original without paying due attention to available mavens. Every “new” idea has some sort of precedent or echo from the past. Even Shakespeare took inspiration from this phrase, so if it was good enough for him, onwards! Whilst there is no denying that “the job writes itself” on a daily basis, whilst working in the realm of the determinedly labelled “cyber” domain, there are many of us for whom none of this is new; none of the headlines cause us surprise – just constant dismay. Yet we continually meet people who treat us like we are Galileo, like we are running around talking about Naked Emperors. Why yes we are, for they do exist! The issues have already been identified as have the solutions. As recently as June 2015, a senior UK Police Commissioner refused to believe me that we were talking about the “cyber” thing as far back as 12 years previously. In 2003, I was involved in a UK government sponsored study entitled Cyber Trust and Crime Prevention, which engaged with industry, academia and government colleagues alike in order to identify likely future challenges and seek to address them through policy changes, education and awareness. There were detailed reports produced at the time and various follow-up opportunities. The exercise ultimately published its findings on 10th June 2004. That was over eleven (11) years ago. This same blindness I describe above is very much at the heart of the PhD research I undertook between 2009 and 2015. The findings bear out that those in charge of policy making and in conducting certain related activities do not know enough about the actual subject area in which they are charged with making important decisions and thus cannot make effective risk judgments nor lead to sensible outcomes – a sentiment captured by Funston below:
“If people don’t know that they are incompetent in an area in which they are trying to solve a problem, their solution is likely to be suboptimal”.[1]
This is of significant concern, given the evidence of management hubris coming to light through the post incident reviews and aftermath of data breaches. There is also risk (analysis) paralysis[2], such as evidence of incomplete risk understanding, incomplete risk documentation, and evidence of inaction, which amounts to shouting about risk in a vacuum. Many of us attend meetings; read journals, blogs, and articles; and talk to each other about a subject we all know or write about ourselves through the myriad of communication channels available to us these days. Yet still the changes required are insufficient; the level of embedded practice is not taking hold; the “build security in” design principles have not been adopted sufficiently, as can be seen by the ongoing data breaches continually being reported in the news. Invariably, it turns out that the original chink in the armor was something basic, a fundamental security management tenet that should have been in place, such as patch management, vulnerability management, or gee, not using a weak admin login password. More worryingly, there have been security professionals involved at some point in the journey of all the organisations experiencing breaches. There will also invariably have been audit reports highlighting areas of concern requiring attention. With respect to those who I know personally are involved, the notion of a UK “trustworthy software initiative," however well intended, is actually naïve given that it is doomed not to succeed sufficiently to address the severity of the situation we find ourselves in if it cannot actually address the source in mind. The majority of application-level software is written in the required languages for iOS or Android, and thus the companies that need to be influenced to ensure the security of their platforms are Apple and Google. To the theme of this blog, consider this the context of the original trustworthy computing initiative – one that is 13 years old. When will enough be good enough? Not for as long as the criminals are better-funded and better-resourced than the rest of us, sadly. Being compliant is not the same as being secure. We’re seeing that clearly given that many of the organisations that have experienced significant breaches over the last few weeks, months, and years have all had, to some extent, some regulatory or industry body standard to which they had evidence of compliance (PCI, HIPAA, ISO27001 etc) irrespective of the actual law of the land to which they should also be compliant with. There are data protection/privacy laws the world over that have central principles around protecting people’s data. It is not rocket science.There is a collective failure in the system of systems here – part of the complexity problem previously identified. We should have matured beyond tick-box compliance; we know that there is applicable legislation, and irrespective of our own subjective views on the validity or soundness of the constructs of the law, many countries have by now taken the time to commit to the legislature a statute that addresses either the cyber domain or the need to protect data. So what’s going wrong? Why are security professionals and auditors not being listened to? (Problem 1 – they speak different languages to address the same core issues – not good... Let’s return to that in another blog post.) Why are the available recommendations or identified risks not being adequately addressed? These are the questions that keep me awake at night! We are collectively risking significant backlash as a profession if we don’t start to really grab this ugly reality by the proverbial throat and shake things up. It’s time for a revolution because our evolution appears to be failing miserably. Remember this, ignorance is not bliss, nor is it a defence in the eyes of the law. There should be no excuse given the availability of information for seeking out the truth, or at least ensuring one has researched and is well informed before embarking upon a perceived new route.
[1] Funston, F. and Wagner, S. (2010) Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, Indiana: John Wiley & Sons, ISBN-13: 978-0470247884 [2] Hillson, D. (2014) The Risk Doctor’s Cures for Common Risk Ailments, Virginia: Management Concepts Press, ISBN: 978-1-56726-459-3
About the Author: Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years direct information security, assurance and governance experience, helping organisations establish appropriate controls, achieving and maintaining security certifications. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work has included development of a patentable enterprise governance, risk & compliance (eGRC) approach to addressing business information governance needs. Whilst also spending the last 6 years researching Information Assurance, Andrea has published two books. She may be reached at [email protected] Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
