I find security very interesting. Both as a term and the concepts behind the term, I think it’s the most fascinating, ambiguous and misunderstood thing our industry grapples with on a daily basis. If you ever want proof of this, go around your organisation and ask people, “What does ‘IT security’ mean to you?” - you’ll get a different answer from each person you ask!
As amusing as this is, it’s also a real problem. With real consequences. I wonder how many vulnerabilities and high-profile data breaches could have been avoided if the business understood the answers they got when they asked unanswerable questions like, “Is the system secure?”
It’s such a problem that it’s now become a political issue. Recently introduced mandatory breach notification legislation is the first step towards us losing control and autonomy over how we choose to manage our systems and our data. We’re being forced to implement expensive, obsolete security measures and it’s pushing us to the point where there’s little incentive to go over and above what’s required for compliance.
So, let’s examine how the term “security” is used, and what it means to different people.
The system administrator. What they say: It’s insecure. What they mean: What you’re asking us to do goes against vendor security guidelines and/or established industry dogma. We don’t want to be ridiculed by our peers for challenging it, so we don’t.
The solutions architect. What they say: It’s insecure. What they mean: We’ve heard and/or read stories from others who did what you’re asking us to do and their systems were compromised by a malicious third party. We don’t know, nor can we get the details.
The penetration tester. What they say: It’s insecure. What they mean: It’s possible that if somebody with a specialised skillset spends a significant amount of time and money to study how your systems work, they may be able to use one or more vulnerabilities to take control of one or more systems.
The compliance auditor. What they say: It’s insecure. What they mean: According to this external compliance framework, there are additional measures you must implement, regardless of efficacy, to achieve certification.
The IT security/risk manager. What they say: It’s insecure. What they mean: According to this external compliance framework, there are additional measures you should implement to reduce the likelihood and/or impact of a cyber-attack and meet potential due care/due diligence obligations. We are unable to quantify the likelihood and/or impact of the risk either before or after you implement these measures. We don’t know if other companies of a similar size have implemented them either. We are also unable to quantify what your due care/due diligence obligations actually are. Despite all of this, you should do it anyway.
The executive manager. What they say: Is it secure? What they mean: Is what we’re doing comparable to what other organisations our size are doing?
The board member. What they say: Is it secure? What they mean: Are we doing enough so that I’m not personally liable?
The customer. What they say: Is it secure? What they mean: Can anyone else access, or has anyone else accessed my information, or any data about me that I haven’t made public, without my explicit consent?
Clearly, not only are we mis-aligned on the definition of the word “security”, we also have dramatically different security expectations. As a start, perhaps we need to expand our vocabulary with new words that have more context built-in. As drastic as it sounds, maybe we need to explore moving away from using generic, meaningless words like “security”. Only then can we have a meaningful conversation about security.