Skip to main content

Today’s unanswered question: Why do organizations think they are secure?

Recently I’ve been asking friends, colleagues and clients what they think are the most important unanswered questions in tech. I thank Ian Murphy, who works in the security industry, for the following conundrum:

“Why do companies with little or no real security experience think they know their environment better than anyone else? That is, because it’s ‘their”’ network, they feel best placed to identify attackers (even those with advanced techniques who hide in the normal traffic noise)?” 

It’s a good one. I’ve been working in IT for decades and I remain baffled how we lock up our houses, secure our vehicles, seal away our valuables and yet, in the corporate environment, senior executives still question the need for security expertise. Ignorance, it would appear, is bliss.

While the problem may be technological, I suspect the answer is inherently human. Back in the day, when I was an IT director for a subsidiary of Alcatel, it took a major security incident on my watch to trigger any release of monies from my superiors.

Now, I recognise that I am already looking guilty of transference — wasn’t I the person responsible for securing the network and servers? While this is true, anyone who has worked in this environment know just how complicated it can be to ask for security budget. I know I tried.

And indeed, I remember the feeling of “I told you so” even as I worked with my team to rebuild the previous day’s data sources from (offline – phew) optical backup drives. Suddenly the cheque book was open and we could self-authorise training courses and enforce stricter policies — it was an internal breach.

So, I’m not sure organizations do think they are inherently secure, or that it’s nobody else’s business. I think, a bit like that feeling as we head down a dirt track on a mountain bike, we simply hope that the bad things won’t happen. That might have worked back in the early 1990’s, at least some of the time.

The difference now however, is that bad things are happening, all the time. We have moved from a state of security by exception (where probability was relatively low, even if impact was high) to a situation where all organisations are under constant attack.

This isn’t the latest missive from the industry, keen to sell you some security solution, it’s a fact. The probability is very high that, right now, an automated software package will be trying to infiltrate your corporate boundary. The impact is as high as it ever was, so overall risk has increased.

Somehow however, we still retain the attitude that ignoring the problem will get us through. Denial has been a fantastically useful tool in our evolution, without which we may not have survived as a race.

Like the shell on a tortoise, however, it wasn’t designed to deal with the threats of technological age. Indeed, the smarter cybercriminals are basing their strategies on our hope against hope that the bad things will not happen to us.

So, the answer to the question is potentially not that companies think they know their environment better. Rather, that they don’t want some third party coming in and rubbing their noses in their own ignorance.

Indeed, I’ve heard of cases (perhaps we all have) where organizations have decided against an audit, lest it turn up things that will have to be dealt with. Which is quite staggering, if you think about it.

What’s the answer? Sometimes it takes a major breach to shake board-level execs out of their reverie. However, relying on this approach is possibly the highest-risk strategy of all.



from Gigaom https://gigaom.com/2017/12/27/todays-unanswered-question-why-do-organizations-think-they-are-secure/

Comments

Popular posts from this blog

Who is NetApp?

At Cloud Field Day 9 Netapp presented some of its cloud solutions. This comes on the heels of NetApp Insight , the annual corporate event that should give its user base not just new products but also a general overview of the company strategy for the future. NetApp presented a lot of interesting news and projects around multi-cloud data and system management. The Transition to Data Fabric This is not the first time that NetApp radically changed its strategy. Do you remember when NetApp was the boring ONTAP-only company? Not that there is anything wrong with ONTAP of course (the storage OS originally designed by NetApp is still at the core of many of its storage appliances). It just can’t be the solution for everything, even if it does work pretty well. When ONTAP was the only answer to every question (even with StorageGrid and EF systems already part of the portfolio), the company started to look boring and, honestly, not very credible. The day the Data Fabric vision was announced