I don't subscribe to the notion that the security environment is changing. There is nothing new about encryption, two-factor authentication, or even fraud prevention. The basic technologies being deployed now have been around for decades. The essential security tenet CIA (confidentiality, integrity, and availability) is just as applicable today as it was 25 years ago.
Then what has changed?
What has changed and/or is changing, is that because of external pressures (be it regulatory, customer, etc.) businesses are being forced to do what they should have been doing all along. Because in the past they weren’t force to do so (couldn’t find the magic ROI for security, etc.), folks are getting caught today with their pants down and paying the price.
Use encryption as an example: Many security pundits have promoted the encryption of “production data” for years because it was the right thing to do and until recently this idea was unwaveringly rejected by business management at many levels, including by some of the very same individuals that are promoting it today. Promoting it today why? Because it was the right thing to do or because of regulatory and industry pressure? Or is it due to some individuals practicing a little CYA?
Certainly there are always business implications, priorities, and risks to be considered and evaluated. However, today we need to be especially aware of doing things more securely from the start. To be forward thinking in evaluating the risks and ultimately the cost of doing so will be much less than trying to play catch-up later.
We don’t need to look at what is new as much as we need to get back to basics. We need to look at CIA first and a little less CYA after the fact. Often doing the right thing first isn’t always the easiest path, but it sure makes it easier to sleep at night in the long run.
Then what has changed?
What has changed and/or is changing, is that because of external pressures (be it regulatory, customer, etc.) businesses are being forced to do what they should have been doing all along. Because in the past they weren’t force to do so (couldn’t find the magic ROI for security, etc.), folks are getting caught today with their pants down and paying the price.
Use encryption as an example: Many security pundits have promoted the encryption of “production data” for years because it was the right thing to do and until recently this idea was unwaveringly rejected by business management at many levels, including by some of the very same individuals that are promoting it today. Promoting it today why? Because it was the right thing to do or because of regulatory and industry pressure? Or is it due to some individuals practicing a little CYA?
Certainly there are always business implications, priorities, and risks to be considered and evaluated. However, today we need to be especially aware of doing things more securely from the start. To be forward thinking in evaluating the risks and ultimately the cost of doing so will be much less than trying to play catch-up later.
We don’t need to look at what is new as much as we need to get back to basics. We need to look at CIA first and a little less CYA after the fact. Often doing the right thing first isn’t always the easiest path, but it sure makes it easier to sleep at night in the long run.
1 comments:
i'm having a deja-hugh.
-g
ps. bravo. an entirely original post. and heartfelt.
Post a Comment