Security As Trust

I was recently thinking about the nature of business and questioning some of my assumptions. I’d like to share a bit with you.

It seems that organizations want to maintain close relationships with their customers, and those customers expect certain unwritten rules to be followed. These rules are so obvious that they’re often not consciously considered as anything beyond the background of our daily purchase decisions. Even so, I think it’s fun to look at this.

As customers engage with organizations, they expect a certain level of respect in exchange for the money they’re giving. They want the product or service to be provided at the level of quality they had in mind, to be provided in a courteous way, and to have their personal interests protected.

Essentially, customers expect these organizations to act respectfully and in accordance with their interests. They want follow through on promises in a predictable and consistent way, products delivered with timeliness and quality, and the integrity of the transaction protected. These make people feel secure in doing business.

Put another way, people will only give you money if they feel secure you’re going to give them something of value in return. It’s not enough to give them the product and move on. The product must perform as they expect, they must believe you’ll stand behind the product, and they must be treated respectfully throughout the transaction.

Essentially, customers must trust you. This allows them to feel secure and builds the basic willingness to do business with you. If we think about it, this makes security a characteristic of a trusting customer relationship.

This is not so much the security that keeps people from doing bad things, but rather that which comes from a predictable outcome borne from a rules-based transactional structure.

So what does this have to do with computing?

We recognize that computing is often strategic to organizations’ customer engagement, as it’s used to ease purchasing, improve customer service, and streamline communications. And of course customers expect these computer systems to provide the same (or more) trustworthiness as an in-person transaction.

Yet I’ve seen substantial room for improvement in many organizations.

Instead of ensuring a consistent and safe experience, I see halfhearted stabs at security focused on keeping auditors happy. Instead of computers respectfully protecting customer data, I see systems with little operational discipline. Instead of a holistic structure that aligns to the needs of the business, I see technicians applying security controls with no concept of the overall goal. And worst of all, I see security technology that inhibits customers and the organization for no real reason.

This happens when IT organizations approach security as something they have to do instead of a business enabler. This behavior drives a minimal level of attention and investment that results in insufficient and limiting security. Security becomes window dressing to make managers happy, not a means to protect or enable customers and the business.

So ultimately, misaligned security hurts customer relationships because it’s ineffective, constrains business value, and acts inconsistently with customer trust. This leaves business leaders and customers frustrated while bad guys exploit security weaknesses to gain advantage.

We must transform the perspective that security is only about keeping bad people out of things or complying with regulations. A first step towards fixing this is reconsidering security’s very nature.

Instead of considering security as defense and compliance, I believe we should consider it as a quality of both an organization and its computing systems. Security should be a quality assurance function rooted in delivering trust to an organization’s stakeholders.

Next time I’ll talk about how to consider computing (and security) from this perspective of quality.

Ninjas and Accountants

We’ve talked about reasons IT security can fail and suggested the industry needs to do more. So what else can be done and why is the industry not stepping up?

I’d say it comes down to misunderstanding of what security is, an underestimation of risk, and misapplied resources. Organizations are deploying ninjas and accountants to solve their security problems and while these roles are important, they’re insufficient to secure a decent sized organization. I think we need a broader approach. Organizations can apply with a security framework like  ISO 27001, which includes items like leadership alignment, planning, and risk assessment to jumpstart the process.

Guidance helps because even experienced IT leaders don’t understand security very well. They tend to regard security as another technical problem in their technical environment. So they buy and configure technology, and as with other technologies, they’ll find a technician to run it.

They’ll look for the most technically proficient engineer they can find with broad understandings of the components of security – a ninja. From the organization’s perspective, this ninja should be skillful, protective, and most importantly, silent. For many organizations, it’s most convenient if the ninja not ask people to change areas like applications, architectures, operations, or human behavior to be more secure. Better that they do their work in the shadows and not bother anybody.

IT leaders often give minimal guidance and support to these ninjas. This isn’t so much because they don’t want to, but rather because the leaders don’t know what support is required. Ninjas tend to say little because, speaking in broad generalities, they’re not always the most social type. They enjoy security and like to focus on their jobs, which means they prefer to minimize talks with the boss. This creates an environment of de facto benign neglect.

OK, to be fair, it’s not total neglect. IT leaders often apply the IT security aspects of regulations like Sarbanes-Oxley, PCI, GLBA, and HIPAA, not least because they’re required to and they’re told it’s the right thing to do. These regulations include guidance that represents a minimum bar for security configuration. They’ll use accountants, i.e. security auditors, to create a “security by checkbox” approach to verify what the ninjas have done.

While this is useful, it is insufficient to ensure security of an environment. Truthfully, the bad guys know all about the regulations, see their weaknesses, and are expert in exploiting organizations that stop there.

To see why security by checkbox isn’t enough, let’s imagine we’re leaders of a country that wants to defend itself.

If we were to take a similar approach to defending our country, we might imagine that we want to be safe from an enemy army. We look at other armies and see they have a lot of people with guns. We decide to mirror them by buying guns, training people, and deploying our army on the frontier. We’ve spent a lot of money and see people with guns so we assume we’re safe.

Simultaneously, we have a previously unknown enemy who sees our activity and looks for weakness.

We haven’t thought about who our enemy could be or created an intelligence community to find out. We haven’t considered what’s most at risk in our country or established foreign relations with our neighbors for support. And finally, we have the army but we haven’t really committed to being safe, which means we’ve underfunded the effort.

Essentially, we’ve spent a lot of money to give ourselves the perception of being safe.

This means nothing to our enemy. He easily finds a weakness and we’re surprised when he’s rolling through our capital city. Worst of all, we knew about this weakness but were unwilling to fix because it was too much trouble.

This what happened with the Maginot Line, France’s ineffective defense against Germany, leading to their quick loss at the beginning of World War II. Sad story.

Does this remind you of some of the massive surprise data losses we’ve seen recently?

Our takeaway is that a false sense of security is worse than no security at all, and that deploying assets without a  strategic plan – security by checkbox – is an invitation to loss.

Most organizations already know this, even if they don’t appear to. After all, skilled business managers wouldn’t apply only ninjas and accountants to new product development, customer service, distribution, or sales. Instead, he would create a structure around those business processes to ensure their resiliency and ability to adapt to changing conditions. He knows this is necessary because he’s been steeped in capitalism’s competitive culture. He also knows that he will go out of business soon if he doesn’t take care of his business processes.

Computing has become the backbone of many organizations’ business processes, yet it has not been subject to the same discipline as other processes. I’ll discuss this in detail in a future post, but it basically boils down to that benign neglect. IT workers and consultants often know there are problems and could do more, yet they often find it easier to keep quiet, mostly because they’ve found business leadership isn’t open to the discussion. Business leaders have not awakened to the need to apply the same discipline to computing as the rest of their processes. And in the end, ninjas and accountants won’t get it done.

I recognize that it’s hard to do something like this from scratch and security frameworks are a helpful way to start. Even so, they still only provide some basics and organizations must apply their own discipline to ensure proper security, both protecting and enabling the business.

Is It Really So Bad?

Last time we discussed how the internet has become increasingly dangerous. So how well is the IT industry doing to protect against these threats? Not very well I’m afraid. And to discuss this, I need to share a bit more bad news before we get to solutions. Please hang with me here. I swear it’ll get better but we need to know what we’re dealing with first.


So we have many examples of organized crime seeking economic gain, companies seeking economic damage, and nation-states seeking privacy, economic, and military intelligence or attacks on critical infrastructure. More recently we’ve seen interference in American news and elections.


And new examples of hacks seem to be released every week including Target, Office of Personnel Management (OPM), Deloitte, the Securities and Exchange Commission, and Equifax.


Each of these is very damaging, each for their own reasons. The Target breach caused not only millions in financial losses for Target, but also motivated every credit or debit card in the US to be upgraded to chip technology. This change was a long time coming and I’m personally happy to see it, but this was a substantial disruption to anybody that processes credit cards.


The OPM breach disclosed personal information on almost everybody who is or has worked for the US Federal Government, including people with classified clearances. My understanding is that there is no recovery from this breach. It’s possible to leverage this information for numerous purposes that hurt the US  and the impact to the intelligence community is devastating.


The impact to Deloitte appears to be unknown, at least publicly, but I see consultancies as a rich targets for gaining intelligence on their clients. This shows bad guys have multiple ways to attack  organizations. It’s necessary for companies to trust consultants with their information much as patients trust their doctors, which is why this one hits me hard as a consultant. To be clear, I’ve never worked for or with Deloitte but I feel we all hold this responsibility as a consulting community. Sadly, but very commonly, the hack went on for months.


Frankly, each of these hacks are indescribably bad in different ways. But if I had to pick, Equifax is worst of all since the breach disclosed the most critical identity information for US residents: name, birthdate, and Social Security Number (SSN). This is all the data a person needs to steal a person’s identity, which has ruined many people’s lives. It leaves people vulnerable to many problems including falsified tax filing, medical fraud, and ruined credit for children before they’ve grown up. It’s so bad the government is talking about removing SSNs from these identity transactions. Similar to the Target breach motivating issuance of chip-based credit cards, I think this is long overdue. But it’s going to be very expensive, not only to replace SSNs themselves, but also to protect against the fraud that’s likely to come. How sad that we had to be hurt to start paying attention.


This is a litany of high profile breaches and there are many more. Each of these highlight how dependent the global economy has become on information technology and how brittle the protection is.

Governments Learning From Terrorists?

Governments Learning From Terrorists?

It appears that governments have learned from non-nation-state groups and are expanding upon techniques pioneered by terrorists and criminals to project power and disrupt rivals with little risk to themselves. This is especially true when compared with earlier techniques.


Previously, if one government wanted to overthrow another, they would typically fund and arm an opposition group and take the country by force. The US took these actions in Iran, Guatemala, Cuba, and Afghanistan while the USSR/Russia were active in Grenada, Angola, Afghanistan (before the US) , Crimea, and China. China is currently active in the South China Sea and India.


I do not intend to judge one country’s actions against another’s. The point is that military, economic, and diplomatic actions were previously nation-states’ only options for projecting power and achieving their goals. They were sometimes attempted covertly but always with the risk of their discovery leading to conflict. This risk provided a disincentive for action since the situation could rapidly escalate from low intensity to high intensity conflict.


For many years a high intensity conflict between superpowers meant nuclear war. The concept of Mutually Assured Destruction ensured that proposals to project power included potential responses by other global players. Nation-states’ bias for offensive action was tempered by their concern for personal safety.


I believe the universality, anonymity, and inherent insecurity of the internet has changed this calculus.