Every now and then, I have these deep thoughts regarding information security and business risks. One thing that keeps coming back to me over and over is the flawed logic behind many of the information security decisions being made in business today.
Logical thinking seems to be a thing of the past - a mindset that does not have a place in today's world. As with many things in our society - namely politics - we simply take our current situation with information security as the status quo, never really questioning how things are being handled.
The following misconceptions about security abound and merely serve to drive us further away from where we need to be:
- We performed a checklist assessment and everything is secure. There's no need to spend the time and effort looking at things in-depth.
- We have a policy against that so we're secure. Our auditor told us so.
- Our Web servers and e-mail system encrypt data transmissions with SSL so nothing's at risk.
- We have a service that runs general security vulnerability scans on our critical systems. If such scans can't find the important stuff, then the bad guys probably won't either.
- Our Web site has a security trust "seal" showing customers that they're information is secure when they deal with us.
- We're compliant with HIPAA, GLBA and PCI. What more do we need? In fact, compliance is our long-term strategy to achieve the level of information security our business needs.
- Our security vendors have told us that if we use their products, we'll not only be compliant but also secure. It's like security in a box; it's really great.
- Our IT folks handle all the disaster recovery/business continuity stuff. It's not really a business issue so there's no need for management to get involved.
- We don't have an incident response plan. What's this "incident response" you speak of anyway?
- We use firewalls and anti-virus software. That'll really keep the bad guys away.
- We only test our network systems from an untrusted outsider's perspective. There's no need to look at our internal systems since they're out of harm's way.
- We're thinking of having someone come in and run a technical vulnerability assessment of our computer systems, but we don't really need anyone to review our policies and plans, interview our employees, and assess our overall IT operations.
- We protect our laptops using power-on passwords in the system BIOS. Even if someone were to reset this password, they would still have to know the computer's logon password.
- Our employees are trustworthy. They don't even know how to "hack" and even if they did, we trust that they wouldn't do anything to hurt the business. In fact, we like to think of our workers as "gruntled" rather than disgruntled and we're going to try to keep it that way.
- Our physical security team does their own thing. The people in IT love not being responsible for any of that.
- We're not going to address security now. It can wait, and it doesn't really affect our business anyway.
I often stop and think to myself: how did we get here? Are we out of our minds for managing business risks this way? It seems that we're lost. It is as if security is a hugely complex and unattainable goal that requires a complete overhaul of our culture and how we do business - and we are afraid to step up and address it. The apparent mantra is that we'll just ignore it and hope it'll go away. Why?
As Rush, one of my favorite bands, put it: "If you choose not to decide, you still have made a choice." Information security is a matter of choice. The sum of our decisions up to this point define exactly where we are with information security right now. Peter McWilliams once said, "We are all, right now, living the life we choose." The same goes for information security and managing business risks.