Security Wisdom or Security Knowledge?
I have often asked myself the question, “How does an organization make decisions when it comes to implementing preventive controls for IT Security?” This post is all about preventive controls and in no way reduces the importance and necessity of detective and reactive controls.
The most likely answers which come to my mind are
Would, implementing certain preventive controls make the organization, “Feel Secure “or “Be Secure?” Feeling secure could be a feeling while being secure should be a reality. Implementing a Firewall could give the organization the feeling of being secure, while in reality this could be far from the truth. The organization could be secure from certain threats and vulnerabilities, but not against a government or state-owned entity who might have the means and technology to break through the firewall.
This throws up additional interesting questions: Secure against what, and secure from whom? Is the firewall a preventive control against all threats, bad organizations and people out in the dark? We could debate on the merits and demerits of these questions and provide arguments for and against. However, I would want to address the larger question which comes to my mind:
Are decisions to implement preventive controls based on Security Knowledge or Security Wisdom?
Knowing that a tomato is a fruit is Knowledge. Knowing not to put a tomato in a fruit salad is Wisdom. Better still, Wisdom is the knowledge applied with some common sense.
Of the eight points I raised above, all these would come under the realm of knowledge as we are dealing with facts and ideas that are acquired through studies, research, investigation , observation or experience. Knowledge changes as the understanding changes.
Security Wisdom would be the ability to discern and judge which aspects of that knowledge were true, right, lasting and applicable.
In other words, Knowledge is a tool and Wisdom is the craft in which the tool is used toward the creation of value. It is a well-known fact that humans are the weakest links of a security link or process. As a security professional, I strongly believe and feel that security is a collective responsibility. If the security professionals are to be made accountable for breaches, then it behooves an organization to ensure these positions are filled with persons with the right mindset.
In conclusion I would like to suggest the following:
Hey, need a bottle of Jack and a cigar for discussing this one frankly :). This is highly philosophical in my opinion but here are my 2 cents:
Bottom line - it all comes down 1) the organization realizes that its most valuable asset is the data and 2) external (legal/regulatory) requirements.
"Feeling secure" in my opinion is utopia.... sounds like "zero risk"....= impossible.
Implementing security controls has never been and would never be about "feeling secure" or eliminating risk - it's about reducing risk - it's not about making it impossible for intruders to breach - it's about making it as difficult as possible as frankly.... there is no environment that cannot be breached or "hacked". Building the security strategy should be driven by the "constant threat" principle meaning that one should assume that 100% their environment would be attacked. How sophisticated and complex the security strategy would be - is a matter of risk appetite, value of the data, finance and other stuff but is all coming from the organisation itself.
It is ridiculous to ask "from who should we secure our data" - especially for a big company with name and share on the market....
Very good insight. But the reality, is most organisations would rather spend zero on security and controls, if they could. Many put faith in cyber insurance, but once the first incident occurs, then they come back and put in clauses into their subsequent cover i.e. ISO 27001:2016 or evidence you have improved organisational controls. Compliance costs are increasing globally, given that many organisations i.e. half of the Fortune 500 have disappeared due to factors such as digital transformation - this trend will probably increase. It appears to be in the human psyche, to not invest or put the appropriate measures in place unless you really have too. How high must the penalties actually rise too, before the majority of organisations take it seriously?
So I think this is an evolving space. I did a lot of work for the US government. They used to operate on your model of feeling secure by implementing all kinds of checklists. Problem was that the checklists were very inflexible and did not take into account the situation and level of risk present. They also did not allow for making risk based decisions quickly. So in reality even though they felt secure they were not secure. Consider this make-believe scenario:
An Inter-Continental Ballistic Missile (ICBM) has just been launched and it will hit it's target in 35 minutes. Your base is the target. You can scramble F-16 jets that can intercept it in 5 minutes. The pre-flight checklist takes 30 minutes to complete. The regulations say you cannot launch a jet without completing the pre-flight checklist. The checklist makes you feel secure because you have not lost any jets so far by following the checklist; however if you do not launch a jet or multiple jets to destroy the missile, you will lose all of them. Unless someone makes a risk-based decision to forget the checklists and just launch the jets, the base will most likely be destroyed, which will include the jets.
So sometimes feeling secure means nothing when you are attacked. If you are receiving pushback on security spending just point out to the board how most companies can find millions of dollars after a breach happens and the leadership has been fired, but would have had to spend much less if they would have spent responsibly before the breach happened.