Friday, October 2, 2015

Can You Secure the "Unsecureable"?

The trends in technology follow certain patterns.  Speaking broadly, most people can remember some of the bigger ones:

  • Y2K
  • Internet e-commerce purchasing (the rise of Amazon)
  • Big Data
  • Mobility
While I'm sure that each you, my readers, could double or even triple that list in 30 seconds, the point is made.  When dealing with information technologies you can expect a new, big trend to pop up every year or so.

Usually a trend becomes important because it marks the next big area where investments will flow and IT budgets are aimed.  This year, in 2015, a whole new trend has gained tremendous momentum, but not in the traditional way.  The trend is all about information security and the tools and products of the (near) future that will protect companies and critical data assets.

But why information security and why now?  Haven't there always been threats like viruses and penetration attacks?  The answer to that is yes, but the stakes have become greater.  Unlike the past where companies like Target or Sony were targeted by high-tech thieves looking for monetary gain, the threats today are most likely coming from sovereign governments! (And their motivations are likely not about money)  

Would you believe that just this year the government of the United States of America was specifically targeted and attacked?  The prize was the complete personnel data on over 20 Million federal employees.  Not only that - our government has estimated that security incidents involving the integrity of the systems that run our country have increased over 1,100% over the past decade.  We have truly moved past the era of annoying viruses and into a new age of massive, ongoing war in cyberspace.  Many times we can't even identify the players and the action they take are not always easily understood.

So how do these things manifest into corporate America and ultimately affect our lives and careers? 

First and foremost, many of the businesses in the United States are completely unprepared for the new realities and risks of cyber security.  According to some estimates, about a third of the companies in the United States have absolutely no formal infosec competency.  If this fact is indeed real, there are a number of implications.  Perhaps the biggest implication for us all relates to our employment.  If an external entity could learn everything about us - see all of our secrets and lay them bare to the world (a la Eric Snowden) - would our companies be able to survive?  Being honest with ourselves, many of the threats that we (our companies) face are ones that we are completely unprepared to face.  That shouldn't make us fatalistic - rather it must be a wakeup call that we must actively work to build our security capabilities.

A second concern as it relates to business is to decide *when* to get serious about information security.  The truth is that most of the impetus to spend on information security only gets generated after an event occurs.  Operating from a reactionary position is a bad place to be.  Ask the French how that whole Maginot Line thing worked out for them.  It can be a very difficult task to get funding and resources for prevention activities.   Imagine a conversation with the CEO where she says, "You want me to approve $2 million for new software and hardware to prevent something that might happen?"  That's not a comfortable position in which to be, but it doesn't have to be fruitless.  With so many published examples of the effects and aftermaths of information security attacks, there are many ways to illustrate the pain of others and to explain how the same things can happen to you.

Finally, on a personal level the threats from information technology sources are much more prevalent than any type of violent crime.  In fact, as of 2013, if you were an adult who lived in the United States there was a 7% chance that you would be a victim of identity theft.  What's more, if you were targeted you could expect losses of around $3,500.  From personal experience, in just this year (2015) I have had to change the number on two of my major credit cards.  For my American Express card, I've had to change it twice this year and have seen fraudulent charges of over $4,000. (For the record - AMEX is great!)  I've had to change my entire approach to how I protect both myself AND my family.  It's no longer good enough to react to events as they occur.  I do a number of things to actively manage my risk and so should you.

Can you secure the "unsecureable"?  No, the bad guys are always going to be a step ahead, especially if the bad guys are also the good guys.  But one thing is certain.  Those that are proactive and motivated will be MUCH better off than those who do nothing.

Since this blog relates to IT (most of the time), here are some companies you should check out.  There is some tremendous innovations happening in the infosec space right now and these companies are right out on the front lines with so truly wondrous products and services.
  • Tanium
  • FireEye
  • Checkpoint
  • Blue Coat
  • Splunk
  • Imperva
  • Websense
  • Palo Alto (hardware)

No comments:

Post a Comment