Managing risk has been looming large on my radar over the past months, from many angles and for many reasons. There seem to be a lot of ‘is it me?’ moments happening to me these days - clearly a sign of age and hopefully wisdom - but in reality, also a sign of needing to make sense of all the madness surrounding us by way of the volume of information available, the conflicting statistics and reporting and a need to sift out what is important amongst it and find a clear route through to doing the right thing by either a data controller (organisation, corporate, whatever), the data processor (outsourcer, cloud provider, again whatever) or the data subject, client etc... so many angles, so many requirements.
I read an article about emerging technology risks requiring attention earlier this week and had an immediate ‘is it me?’ moment when I saw the areas of emerging risk that people said they were concerned about. The contents in itself were not surprising - cloud, mobile devices etc. Business interruption also featured - something that poor old RBS must be considering at some length as they continue to deal with the fallout from their significant system outage this month. What’s happened to them has to go in the camp of catastrophic risk - to the business - and it can’t even be blamed on anything cyber at all.
As an aside - and as an interesting example of the difficulties we have stored up with our ever-increasing reliance on all systems being based in the electronic realm - there were those who could not use their (insert bank name) cards, who found themselves in the awkward position of requiring services from merchants who would not accept cash. What happens when we are all supposed to have believed in the marketing hype and gone to contactless cash, using our mobile (smart) devices as wallet? The success of which is certainly in question when articles like that which appeared in the Sun are what the average man in the street are exposed to. It’s funny how these things get reported and presented - ‘TWENTY million Brits are at risk of having their bank details stolen by electronic pickpockets’ - OMG, immediately panic!... and apparently line your wallet with tinfoil. But why only 20 million, given that other statistical reporting would have us believe that every single home in the land has at least one smart device per person these days? So many questions!
Or this article with the headline that Eight out of Ten Mobile Banking Apps are Vulnerable to Hacking. There must be something in our psyche that allows us, as a race, globally, almost lemming-like, to follow the latest trend of technology irrespective of the available warnings - presumably it’s something like smoking.... The addition of the bright shiny ‘toy’ is greater than the damage it may cause, to your wealth or your health.
As a further aside, and with apologies for the short notice, for those of you who like surveys - either reading them or participating in them, there’s a last ditch chance to participate in the GRC Maturity Survey for 2012 (it closes this Sunday 1 July 2012).
The OECG request is for:
- Responses from multiple roles within each company (especially the c-suite roles);
- Broad international participation and high numbers within more industry sectors;
- Good international participation from government agencies.
To return to my thrust.
Security is a noun and we use it in this context in our industry - that of being secure, and taking precautions against espionage, theft etc - as per the Oxford English Dictionary (OED).
Cyber relates to electronic communication and virtual reality - again, according to the OED. Not that you needed this spelling out. But every now and then, I think we need to take things back to basics and strip away all the marketing hype and industry waffle and really think about what is being said - and what is being feared, particularly when discussing risks.
In the results of the survey originally referenced above, ‘cybersecurity’ came out on top. This presents a linguistic challenge. How can ‘cybersecurity’ be an ‘emerging risk’? Why do we put up with this linguistic nonsense? Think about it. It’s the wrong term, the wrong phrase, the wrong emphasis. If we had ‘cybersecurity’ - i.e. security in all things cyber, it wouldn’t be a risk to be worried about, now would it? So, to be technically accurate, the ‘emerging risk’ should be ‘cyberinsecurity’ surely?
Either way, surely it is not an emerging risk? It’s been talked about for years now; it’s been written about for even longer. Is ‘security’ a risk in itself? From what point of view? Not being secure is the risk...depending on your view point.
There was another great article that really encapsulated this conundrum towards the end of May. The author, David Rowntree, came up with his own law - ‘Rowntree’s first law of computer journalism’:
The amount of insight in a computer security article is inversely proportional to its use of the word ‘cyber’.
So a) it’s not just me (and to confirm this still further I was delighted to receive notification of an IISP talk coming up next month posing the question whether cyber is just information assurance by another name?! and b) people know this is what is happening to us, in our industry. It’s not just journalists - it seems to be everywhere. Everyone has fallen down the cyber hole and can’t find their way out to the light of sense. Can anything be done to stem the tide of the madness? It seems like it may take anything up to a generation to dig out, but we need to keep chipping away at the madness and shine a light on it wherever we stumble across it, so that we can fear it less and less. The reality of ‘doing’ security and being secure is, in so many ways, relatively simple to achieve in terms of doing the basics well, rather than over complicating things. If we start from the bottom up, from core principles, a lot could be done and improved.
There are those who say that we need to think differently and be creative - but in many ways that is pandering to the perceived constant need to look like we are innovating. In the world of dentistry the ‘big innovation’ has actually been to go back to basics. As a patient, you now spend more time with the dental hygienist than you do with the dentist. The hygienist tells you the same thing every single visit. Brush regularly, floss more, use the interdental brushes, reduce your plaque, rinse and repeat. Their role is ‘preventive oral hygiene’. And that’s our role in security too - ‘preventive systems / information hygiene’, if you will.
So, when you visit the likes of the SANS top 20, as we affectionately refer to it, for guidance on how to be secure, you will find things that get constantly repeated over and over in all sorts of other locations too (there are many resources I could have chosen). And yet there are so many organisations, institutions etc that are still not doing these things well - the basics - because perhaps they have progressed to the fancy digital toothbrush and assumed that the technology was taking care of them. It’s time we got back to flossing more, rinse and repeat... Then we might at least be better prepared for the ‘emerging risks’, whatever they might actually turn out to be, given that in the main they are already here and happening to us.