Security Controls and Lessons Learned from the Financial Crisis
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  security ibm mortgage financial crisis
0 Comments | 2,836 Visits
You know one of the interesting things I've noticed, and it's not really specific to security, is that the more interconnected the world becomes, the harder it is to find the root cause when something goes wrong. If we look at the financial/mortgage crisis for example, if you wanted to point the finger at one person or event, could you do it? I've wanted to for a long time, tracing this chain back to some single point of failure, but it's really not possible. When something like this happens, where there isn't one root cause, accountability becomes a big mess because everyone can push the problem onto someone else. The problem is that if everyone pushes around problems, problems never get solved. So, the way that we need to look at it is that instead of there being limited accountability, there needs to be a lot of accountability.
This type of complex interconnected failure isn't so different from what we see in the news around data breaches. People want security to be simpler and they want to find that single point of failure, and sometimes it's there, but often times, it's really not. Our technology world has grown to become a complex systems of systems where legacy systems are communicating with new systems, the notion of a perimeter is dissolving, new consumption and delivery models are popping up all the time and we have to secure all of this.
Let's face it, the majority of attacks today don’t operate in little silos. They can cross users and endpoints, applications, networks, databases, etc. So despite the fact that you might have different teams responsible for all of these areas of your system, and you might see them as separate, attackers see this as one, connected system. As a result, when breaches happen, often times it is often a combination of insufficient security controls, problematic policy and even things like a lack of user education. When we live in a world of complex and networked technologies, the notion of a single point of failure is disappearing.
So what do we do about this? Obviously a layered defense is imperative. You need to think about your data, how it moves, where it rests, how it gets accessed, which data is most important and how you can apply security controls all along the way. Moving away from just the technology, one of the other things that people talk about is accounting for the human element in security. When people are talking about this they are generally referring to the fact that users will click on just about anything, so security has to acknowledge that users are going to constantly put their organizations at risk. But there's another side of that human element that I think is important, and that is establishing a culture in your organization that security needs to be top of mind, and that everyone is responsible. Whether you are a developer, a DBA, an executive who might be targeted or an IT manager, security is something you need to consider. Yes, new technologies will help, but changing culture and process, while never easy, is almost always an essential element of dealing with systemic issues, whether they be financial markets or security concerns.
The last bit worth acknowledging is the dangers of ignoring something that appears broken, but ignoring it because it hasn’t actually broken yet. So in this case we’re talking about warning signs around the economy but the market still going up, and IT decision makers saying, "well we haven’t been breached, so we must be secure," regardless of their actual security posture.
Despite what we would all like, these aren’t issues you can just sweep under the rug and cross your fingers hoping that a problem won’t pop up. Organizations need to confront these issues.