Because Hackers Don’t Care Who You Are… That’s Why.

It looks like the 30th Annual Chaos Communications Congress had some excellent presentations this year.  Wired reported on a number of them:

Search by category if you like…

The most depressing part of the majority of presentations on vulnerabilities over the week was that the oldest security paradigms are still the most problematic: replace old equipment once it becomes outdated, patch and maintain existing systems, disable or change default settings, etc., etc.

Of course, when one looks at the basic tenets of establishing a risk management program, the reason these violations keep occurring also seems to become just as clear: lots of organizations who want all of the benefits of operating in a very open and profitable society, but honestly don’t believe that the basic rules of that society will apply to them.

The “basic rule”, in this case?   For every person trying to make a dollar, there are at least three more who are trying to steal it.

In fact, in as much as there are often both well-intentioned, intelligent management and conniving weasels/borderline criminals running today’s companies – both archetypes that should wisely appreciate the importance of security – it is still surprising how few companies have a good grasp of this really basic idea, and just how true (or maybe even understated) it is in an network-connected business world.

But wait, the surveys show clearly that companies indicate they value and understand the risks, and they assure us they have been putting controls in place.  Surely you are mistaken.”  Ahem.  If working with regulatory compliance professionals has contributed anything to my understanding of security in a business context, it’s that – on paper – organizations are becoming surprisingly sophisticated at looking good security-wise, even if the actual controls are less than optimal.  As a professor, it feels a lot like dealing with the students who spend all of their time trying to figure out how to cheat and/or get out of doing work, instead of just using that same time/resources to simply do the right thing in the first place.

Don’t get me wrong, every organization has to weight risk and cost and make decisions that accept risk – even in places they’d just as soon not, but I and others across various industries are all finding that far too many businesses are taking the absolute minimalist approach, doing just enough to leap the regulatory hurdles (and even then sometimes using regulatory loopholes to minimize work scope), but no more.

As much as this may sound cynical, I don’t necessarily believe this situation derives from malicious negligence, either.  Maliciousness requires giving a high degree of credit to the motivations and commitment of people, whereas Occam’s razor can far better answer the problem with  apathy, overwhelm, and/or outright incompetence as the more likely culprit(s).  It isn’t so much an issue of assigning ‘fault’, as it has resulted from changing systemic norms in the business culture.

If we look at the average manager or executive today, they are NOT intentionally out to hurt their company… they’re simply so deep in the woods dealing with budgets, personnel problems, and putting out fires (operating re-actively, not pro-actively), or they’re protecting themselves and focusing on their personal successes/aspirations.  In the mean time, however, they have no idea that a wave of attackers is assembling on their doorstep, and until it’s too late, just fail to do anything about it.

But I can’t leave this as an abbreviated diatribe – there must be a glimmer of hope:

The easiest solution is to have people in your organization get involved who are NOT mired in the daily operational details.  The problem is that this is/was supposed to be the role of executive management, but as I vaguely alluded to, some executive management programs have evolved rapidly revolving doors, in which the manager’s personal success is measured by short term gains; this is further exacerbated by demanding investors/stockholders who have attention spans and tolerance timeframes that can be measured in nanoseconds, so they’re not helping either.  Lest I appear too one-sided, at the other end of the spectrum you also have executives who are forced (or choose) to jump into the trenches with their troops just to help the run business, but from which, again, planning a strategy is far more difficult to do.

Security = risk management, and that requires a well-developed framework, something that has to take a broader and longer view.  As such, it seems that governing boards will likely need to be more active in setting clear objectives and expectations for their management.  It also means the resource pie will have to be divided n+1 ways, which is definitely not a popular proposal when that ‘+1’ has a hard time demonstrating concrete value-added.

Still, the rules of society don’t change: accrued wealth must be tempered with protections to ensure you can hold onto it.  Organizations will simply have to re-prioritize investments (and yes, even profit margins) in the long run.  Otherwise there is a very long line of perversely talented people who would be happy to relieve the organization of its earnings.