I think it is extremely important for an organization to account for the reality of doing business (Risk based approach compared to the purist mentality of securing everything) when strategizing an information security plan. It is true that an individual who has a habit of perceiving security issues as purely a technology problem without understanding the business reality is likely to make bad security decisions.
However, I think some people in corporate security take this argument too far and end up awarding critical roles to individuals that do not have the appropriate skill-set and mind-set. More often that not, this happens when organizations responsible for information security misunderstand the argument to mean that you only need to probe for the understanding of business fundamentals and process management when recruiting for talent. Depending upon the criticality of the role awarded, this can deem disaster.
It is my opinion that, in order to construct a talented security team, it is most important to select leaders that have a genuine passion for the technology aspects of information security, yet understand business reality enough in order to serve as liaison between technology and business.
I believe that genuine passion for information security derives from passion for technology, which in turn derives from passion for science. One does not need a degree in science to satisfy this requirement, but only the tendency to indulge into scientific discourse. The following is therefore one of my favorite questions to ask individuals that have progressed in their career in information security:
What have you changed your mind about? Why?
John Brockman has posed this question at http://www.edge.org/q2008/q08_index.html. Richard Dawkins does a fantastic job of explaining why this is such an important question:
When a politician changes his mind, he is a ‘flip-flopper.’ Politicians will do almost anything to disown the virtue - as some of us might see it - of flexibility…. Leading Democratic Presidential candidates, whose original decision to vote in favour of invading Iraq had been based on information believed in good faith but now known to be false, still stand by their earlier error for fear of the dread accusation: ‘flip-flopper’. How very different is the world of science. Scientists actually gain kudos through changing their minds. If a scientist cannot come up with an example where he has changed his mind during his career, he feels the need to apologize. He is suspected of betraying the spirit of science. He is hidebound, rigid, inflexible, dogmatic! It is not really all that paradoxical, when you think about it, that prestige in politics and science should push in opposite directions. I’ll take it no further than just to point it out, with a whiff of irony.
Now that I have brought up the importance of this question, it would be fair for you to expect me to answer it. I can come up with a list of things I have changed my mind about, but I’ll stick to one within the scope of information security:
I used to think that weak security controls and insecure software design are the root-cause for the rise of incidents pertaining to the compromise of PII (Personally Identifiable Information; think Social Security Numbers, etc) and other financial details (Credit Card numbers, bank account numbers, etc) that ultimately leads to the compromise of people’s identities (via stolen or lost laptops, phishing, web-site compromise, etc). Of-course, weak security controls are no excuse: every effort must be made to securely configure systems and to ensure that secure software design efforts are in place. In other words, insecure system and application implementations obviously facilitate the problem but I no longer believe that they are the root-cause.
I believe that the root-cause for the reason why people’s identities are being compromised at an alarmingly increasing rate (data leakage) is that the financial institutions authenticate transactions based on a static identifiers.
To put it another way, think of a scenario where you are given an identifier such as the following: 1R3D1D9JJBKDD2ADCDB09234. You are then told that your identifier is your identity, and it can never be replaced. Having heard this, you do your best to protect its secrecy. However, you are also told that you need to disclose the identifier in order to commit any financial transaction. In other words, you must disclose it every time you apply for a loan, open a bank account, sign a cell phone contract, sign up for cable TV, obtain employment, and so on. After a few years, your identifier is likely to be found persisted on hundreds of databases across the world: your employer, your bank, your cable TV company, and any other organization you have committed a financial transaction with is likely to have a copy of it. The companies you give this information to promise to perform routine security audits to ensure that your identifier is secure.
Here’s another scenario. Let’s assume you live in a world where your email address is also the password used to access your email. You are therefore instructed to only share your email address with people you trust. Your web-based email provider promises to perform routine audits on its applications to give you assurance that they are free of security vulnerabilities.
The examples sound absurd, don’t they? Well, they are good examples of how Social Security Numbers (SSNs) work, and exactly how Credit Card numbers work. You take care not to blurt out your SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases. You take care not to expose your Credit Card number, but you must hand it over to people you don’t know at retail stores if you want to use it.
We aren’t going to solve the problem of online PII compromise and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.
Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost. This is the reason why the system has not changed. Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed (this cost is also shared by other companies that want to have the capacity to process transactions. The PCI standard is a good example of this situation).
For the next few years, we are going to continue to apply Band-Aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know we’ve accomplished this when we will be able to publish our credit reports publicly without compromising our identities.
What have you changed your mind about? Feel free to comment below.
[In the spirit of science, I’d like to conclude with a video clip from the TED conference that delights me every time I watch it]: