Accountability the Non-Negotiable Asset
In business, accountability is something that cannot be stressed enough. This was true before the economic breakdown of 2009, and will continue to be long after. Accountability is of paramount importance and perhaps more so than anything else, it is a good thing. Accountability is something that at some base level, all humans can relate to. Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’. If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come. Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.
Accountability is a good thing. It is of imperative importance. Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present). Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence). Accountability provides much more in the way of freedom than most would initially suspect.
As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability. If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable. We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable. In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture. Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams. When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management. There is blood in the water and sharks can smell it for miles off.
The impact upon the organizational culture, receptivity and tone becomes more pronounced as well. The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units. Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective. Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes. The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin. This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).
You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to. I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”. Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”. Crazy you? Unrealistic? Immature? Handsome (had to throw that in to see if you were paying attention 
. My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.
So how do we get there from here in the absence of accountability? The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date. Odds are, something does though the state and maturity might vary. Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not. This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.
2010 Predictions…sort of
Its 2010 people Happy New Year! Where did 2009 go? Last year was a very busy year for Cassandra Security. A lot has occurred since we launched and we as individuals and as a team have learned a great deal in the process. 2010 promises to be a very exciting year and if my estimations are sound, we will show no signs of slowing. This is a good thing. My first 2010 prediction is that in not too distant future you will see our site change. The evolution has begun and it is only a matter of time before it is complete. I am personally looking forward to this and other changes however; I will refrain from commenting until the appropriate time. I will say however our goal remains the same to provide the most comprehensive, thought provoking content we can related to our passionate study, devotion and understanding of our discipline. Expect to see more in the way of malicious code and content analysis, threat analysis, reversing, trending and a whole host of other technological and philosophical endeavors related to our work. It is an exciting time to be in our space; it is a time that calls for leaders to lead, followers to follow and those who are confused to kindly step out of the way. Before I get into the heart of this post, I would like to say thank you to those who have shown their love, appreciation and support to us thus far, believing in our work and us and rallying behind us regularly. Thank you. You know who you are and so do we. We are honored by your allegiance and support and hope that in achieving our goals we will also aid you in accomplishing your own whether in business or personal contexts.
This time of year resolutions are the norm and in our space so are predictions. I am not a resolution kind of guy so I will jump squarely into the predictions. Predictions are tricky. In our space often times you encounter a regurgitation of ideas or worse yet, a pilfering of them with the net effect being that they end up on someone’s prediction list. This entry is going to be different. I hope you’ll enjoy it and appreciate for what it is as opposed to yet another broadcast of what may or may not be the next big threat to hit (I will mention some things which fall into this category . As you will see, it will be done in a manner traditionally different from what one would expect in piece such as this). Predictions come in two varieties. They are either related or associated with the divine, the supernatural, or the result of anticipatory science (the type of predictions, which lead to the formulation of a hypothesis for example). As we neared the close of 2009, I read no one’s predictions for 2010. In fact, I still have not read anyone else’s’ to avoid muddying the waters of my own thought process. When I was a child, a very wise person told me that the true test of a prophet or one who makes predictions lies in his or her accuracy with respect to the prophecy or prediction coming true. I took that to mean (and still do), that there are many things which must fall into place either by divine design or by the design of man (some may argue the latter is influenced by the former however that is not the purpose of this piece so let’s table that for another time). I never took it to mean that we as intelligent, informed human beings perhaps lacking ‘divine’ insight could not arrive at conclusions after conducting enough individual and collaborative analysis to make educated guesses or predictions. In fact that is where I believe most predictions fall categorically; into the realm of those driven by anticipatory science. Does this mean that I am ruling out in terms of absolutes, the possibility of one’s “gut” or “instincts” playing a role in this process? Certainly not. However, what it does not mean is that what we conceive as predictions in our space are akin and par with messages delivered from on high, carved in stone and presented to a body of people.
Preface:
I feel that it is important to write and speak honestly about the world in which we live and work; the good and the bad; the sacred and the profane; the beautiful and the ugly. I believe that in doing so we remain in balance and present a realistic view of the world as opposed to one seen through tinted glasses. I believe that there are threats, very real threats, which are at work in the world some more noticeable than others and some operating quietly in remote locations readying themselves for their opportunity to strike. However, I do not believe it to be a healthy nor intellectually honest position to take which speaks only of those threats in an unbalanced light. This I fear leads us away from sound thinking and directly into the land of those who inappropriately talk of fear, uncertainty and doubt. We do not need to lead anyone down a road to perdition; people do that for themselves. Our role to identify the patterns, trends, activity, threats, vulnerabilities and risks may be exploited in order to achieve the goals set forth by those who seek to do harm in whatever form harm “means” to them. Furthermore, I believe we as professionals have a responsibility to avoid (when possible), sensationalism being entered into if possible. Sensationalism is fine for the circus or cinema however terribly inappropriate in other contexts, namely those within which we operate. I find that behavior to be distasteful and amateurish and so should you if you are a professional seeking to improve your skills and understand of that which we do.
Prediction #1: Evolution by Definition Will Fuel the Revolution
I do not believe that we will see a plateau or a peak with respect to illicit activity regardless of the form it takes: cyber crime, cyber espionage, and cyber warfare or cyber terrorism. I believe will see continued growth and likely see greater degrees of interconnectivity between organizations around the world (in addition to individual operators), as there is no shortage of demand for what is being supplied nor is there shortage of innovation taking place. I write often about cyber crime, cyber espionage, cyber warfare and cyber terror as they are passions of mine (in addition to being areas which I have professional experience in), in addition to psychology. I often quip that there is an ‘Evolution Revolution’ in full swing with respect to those factors that drives the creation, support, and growth of sub-economic ecosystems (sometimes referred to as shadow economies). Put plainly there are simply too many opportunities and too many parties ready, willing and able for a plethora of reasons (recall that agendas drive action) for this to not be the case.
Evolution occurs without the aid or impetus of a third party. It simply does not require it; it is not necessary for its manifestation. Revolution, on the contrary, requires an evolution of thought, ideals and action. So long as this evolution remains present (which I believe based on my understanding of Darwin and other’s writings it will), revolution will be made possible and continue unfettered. In our field, in our discipline I believe that we have seen over time examples of this and will no doubt see much more in 2010 and beyond. The world is not enough to quote Ian Fleming, and it is an intellectually dishonest position to take that suggests everything that can be monetized on the Internet (in other words given monetary value), already has been. Assertions such as this boggle the mind and suggest that human innovation and creativity has reached its apex (which we know has not occurred), and as a result markets will dwindle. Do you see that happening? I don’t. In fact, I would argue the opposite completely and passionately. So long as there is evolution pushing revolution within cyber criminal ecosystems (shadow economies), state sponsored cyber warfare and espionage not to mention sub-nationally sponsored (cyber terrorism) there will continue to be opportunities upon which to capitalize. We need now, more so than ever before, remain diligent and prepare ourselves for what is coming even if we cannot (in an unequivocal sense), “predict” exactly what will occur.
Prediction #2: The Sky is not falling, but it is Getting Gray
“All the leaves are brown and the skies are gray”. I love that lyric; it speaks a lot in few words; it evokes a visceral response that the listener can easily identify with should he or she have experienced winter and its realities. Ironically, it is winter and I am writing this less formal but still serious post about predictions. Often people make assumptions broadcasting them the absence of fact with respect to what is real and what is not within our industry. It does not require an advanced degree to recognize that this is foolish at best and quite dangerous as worst. Take the innovation for example. I believe that innovation both good and bad will continue and that in some respects that innovation that we perceive and recognize as being bad in our industry will supersede the readiness of the tools and tactics we have at our disposal should we become complacent and jaded. Cyber criminals for example, are extremely innovative and recognize at times more readily than we would like to admit, the challenges and inability of industry to address all that they have to offer and more. We must ready ourselves in all seasons, in particular the winter of our development in order to address this, as we know that cyber criminals do not sleep but often our industry does. Sound analysis and integrity driven research along with our desire and ability to enable ourselves and our clients to meet these challenges is what is needed, not sensationalistic ramblings or debates having to do with the validity of a new enablement technology or regulatory standard. Preparedness is key and the failure to plan is the equivalent of preparing to fail. Last year, there were ample examples identified and noted which influenced the industry’s belief that the sky is falling however there was little to lead us to believe that utter destruction was upon us. This is not to say that there were not very serious occurrences, which wreaked havoc upon the cyber world, and beyond (to suggest otherwise would be madness). No, some truly thing BAD things did happen and will continue to happen. Will the skies remain gray? I believe they will, I maintain that they will be cloudy and at times become more ominous than at other. Trends change; they evolve and mature. It is because they do that in my mind, it is better to expect the worst, hope for the best, and always be prepared. Very rarely (if ever), are people penalized for preparedness. Should you find yourself being penalized for being prepared, you can blame me or the boy scouts, whichever you would like but take solace in the fact that you were prepared.
Prediction#3: The Threat Landscape Will Remain Unpredictable
If I have learned anything in life, it is that life is unpredictable and perhaps that is what we need to focus. Unpredictability is what enables us to formulate strategy and tactics for dealing with everything we experience. Whether it is our car not starting to our enterprises, and our information personal or otherwise being placed at risk. Our goal for 2010 should be to remain vigilant and where appropriate become more so. This requires a reconsideration of risk and its management as opposed to the mindless adoption of the latest new fangled technology or audit requirement. We need to treat information security and risk management in 2010 as though they are living entities; sentient and in need of nurturing. Should we fail to do so then perhaps some of the more ‘sensational’ predictions made by others will come to a head.
On Monday January 4, 2010 Information Infrastructure Solution Giant, EMC agreed to acquire Overland, Kansas based Archer Technologies for an undisclosed amount (Archer Technologies is privately held) and anticipates completing the acquisition sometime before the end of Q1 2010. I am slightly annoyed by this as I love Archer Technologies products and think they do a smashing job in the GRC (Governance Risk Compliance) software space however, I am happy for the Archer folks all the same if the deal works to their collective best interests and those of their collective clients and customers. Art Coviello, President of RSA, which has for a while now been the Security Division of EMC summed it up the reasoning for the acquisition best saying that traditional security management focuses primarily on addressing technology issues but their customers were telling them their real challenges came in the area of policy management, audit and compliance. He concluded by saying “You can’t manage what you can’t see”, a fair point yet rather pedestrian for those more fluent in information risk management where the real challenge is not being able to secure what you are not cognizant of. It seems as though Archer Technology will live within the realm of RSA and likely be integrated or, at the very least coupled with RSAs’ SIEM solution, Envision.
All of this is goodness for the end customers and clients of EMC’s current solutions and could prove advantageous for Archer Technologies legacy customer base as well. Tools such as Archer are wonderful for influencing and bringing to bear properly architected risk based process, procedure and policy frameworks while identifying deficiencies where they exist. The challenge is that Archer Technologies does not have legitimate actuarial based data as do vendors such Prevari, which enables you to establish sound metrics against the enterprise. Was I working with Mr. Coviello I would have recommended purchasing both as one without the other is good, but both demonstrate a more sophisticated and complete view of an enterprise world.
So what will become of Archer? As mentioned previously we shall see it working with the RSA suite and if EMC can pull it off, their Ionix unit that aids customers in automating their IT configurations across servers, networks, and storage environments. This would be exciting for enterprises and could prove hugely influential in EMCs maturity as a security player in addition to their ability to provide more robust solutions geared towards governance and risk management. Jon Olstik of Network World wrote a wonderful blog post on this topic stating the following for EMC’ choice and reasoning in acquiring Archer Technologies:
- An enterprise GRC architecture:
- RSA will integrate Archer and enVision into a multi-tiered architecture. The bottom tier will be log management (i.e. data collection, processing, and storage). The middle tier will be data services (i.e. middleware-like functionality including data translation, transaction services, etc.). The upper tier will be dedicated to data analysis. This analysis is dedicated to security and compliance today but it could be used for network operations, capacity planning, and business queries in the future.
- Strategic services:
- With Archer in tow, RSA becomes one of few vendors who can help companies align security and compliance with business processes. Yes, this will drive product sales but it will also help EMC create valuable strategic services and capture lots more services revenue.
- A bridge to IT Service Management:
- Aside from security and compliance, EMC is also pushing hard into ITSM with its Ionix product line. EMC will integrate Archer and RSA together linking log management with the CMDB as well as change, patch, and configuration management. In this way, Ionix can help enterprises automate compliance and security management response.
I do not believe this will be an easy task for EMC / RSA to accomplish. They are facing some incredible technical integration challenges with this acquisition and their intended integration strategy. Between their platforms and will no doubt struggle to define and articulate a realistic product road map that represents their vision and capabilities to current and prospective customers & clients alike.
Human Frailties
I’d like to talk a bit today about two security failures I’ve read about recently. One of these was very widely publicized, and the other seems to have been swept under the rug. One of these failures was a genuine shock, from an organization that is normally a paragon of reliability, and another is from an organization who’s name has, sadly, become synonymous with security failure. There are lessons to be learned from each of these, however.
Here in the United States, we celebrated Thanksgiving on Thursday. Most of us gathered with our families to share a meal, and to give thanks for the things that we all too often take for granted. One of the things I quietly gave thanks for this past Thursday was the fact that I’m not Jim Mackin. Because if I were Jim Mackin, I would have had the unenviable task of explaining to the American press how in the hell two unscreened, uninvited people were able to social-engineer their way past the Secret Service and in the process, gain personal direct access to the President of the United States.
The United States Secret Service is one of those institutions that we Americans kind of take for granted. They’re widely known as one of the best-trained, best-equipped, and highest-performing security forces in the world, and have, at least until this week, held nearly-universal respect among the people of this country. Its mission is simple – “to protect national leaders, visiting heads of state and government, designated sites, and National Special Security Events”. (less well known is the other prong of the Secret Service’s mission – the USSS is also the government agency historically responsible for the investigation of counterfeiting, as well). One could reasonably assume that protecting an event like this would be pretty well-paved ground for the Secret Service. Although every event has special requirements, I would imagine that the plan for the protection of Tuesday’s state dinner was largely a boilerplate item, containing many processes and procedures that had been time tested.
But despite this event being a pretty standard protection operation for the USSS, and there being exhaustively documented and tested processes in place to ensure that security was maintained, two unauthorized people got in, seemingly without any extraordinary effort. How did it happen? At this time the investigation of what happened is still ongoing, but news reports indicate that someone in the Secret Service’s uniformed division failed to check the attendees’ names against a list. To be fair, the potential damage was mitigated greatly by other physical checks that were performed, such as a metal-detector wanding, etc, but the fact remains that two people who weren’t supposed to managed to get withing a handshake’s distance of President Obama, Vice President Biden, the Prime Minister of India, and untold numbers of VIPS. Needless to say, we’ll be hearing more about this incident.
The second failure I’d like to talk about today is a bit less well-publicized, and comes from the recent news that Choicepoint, the consumer data aggregator, has once again been fined by the US Federal Trade Commission for a data breach. You might remember that back in 2005, Choicepoint was the hub of what was at the time one of the largest personal-information disclosures in history, involving 163,000 consumer records and resulting in 800 documented cases of identity theft, for which Choicepoint settled with the FTC for $19 million dollars in fines and restitution to harmed consumers. The second breach, which occurred last year, was somewhat smaller than the first, involving the personal information of 13,750 individuals. This breach occurred after Choicepoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off”. In other words, all the lessons learned from the 2005 breach and 2006 settlement were for naught, because someone flipped the wrong switch. Incidentally, this second Choicepoint breach cost the company $275,000, which, astute observers may note, is 78% less per compromised record than the financial penalty for the first, larger breach (I’ve another post brewing about this, which I’ll save for later).
So, what do these two failures have in common? They both had humans at their root – humans not following procedures, either willfully or accidentally. Human frailty caused both of these failures in security. Neither of these were failures in technology, or procedure, or the implementation of either. For all accounts, the security plans behind both the Secret Service and Choicepoint breaches were solid, but yet they both failed because someone, somewhere simply didn’t do what they were supposed to do.
There are lessons to be learned by IT security practitioners from these incidents, however. The first and most important thing to remember is that “To err, is human.” Human beings are inherently fallible machines. The idea then would be to minimize the potential effect of human factors when planning for the protection of high-value assets.
Think of it this way: One of the first principles of systems administration is to eliminate single points of failure whenever possible. The most prominent example of this principle is a RAID array, where the failure of one (or more, in some cases) physical hard disk drive does not result in either the loss of the data on the array or an interruption in service. Hard disks, like humans, are fallible, and this relatively simple mechanism was designed to work around that fact.
So, how do you implement a RAID array of people? Simple: Procedures for security operations should be designed that no individual person has the ability to leave a protected asset vulnerable through their action or inaction. Furthermore, processes should also be designed so that each person, while acting as part of a team, also must perform their role independently of others – this, to avoid the temptation for a person performing a secondary check to become less vigilant, under the assumption that the person performing the primary check did their job correctly.
Clearly, implementing multiple human checks is not feasible for protection of most assets, labor being as expensive as it is. But for the protection of high-value assets, such as the safety of world leaders or the personal data of millions of consumers, implementing these multiple checks is crucial to ensuring that you, like Jim Mackin, do not end up having to explain an embarrassing security failure.
“Mensch tracht, un Gott lacht” “Men plan, God laughs” Yiddish proverb
The Payment Card Industry Data Security Standard (PCI DSS) is not the devil incarnate but comes under scrutiny (for good reason – a great deal of which has less to do with the standard itself and more to do with the organizations wrestling with it along with the credit card corporations themselves), likely as often as the devil himself. Before PCI was PCI, before there was this digital equivalent to “reefer madness”, where fear, uncertainty and doubt solely relegated to the world of the payment card and their affiliated merchants and provider – banking environments seemed to permeate every fiber of the tapestry of the Information Technology and Information Security worlds, all the bigs – Visa, MasterCard, American Express, Discover Card (aka Discover Financial Services), Diners Club and JCB International, all had their own ‘ways’ of assessing the security posture of their vendor / provider networks. Some were more inclusive and detailed than others. That is a fact.
It was ugly, it was cumbersome, it was ineffective and it warranted change as the credit card corporations and their affiliated banking partners were experiencing fraud and exploitation in a variety of ways from a variety of sources, which ultimately led to a convergence occurring within that world. A convergence which would have impact upon us all for years to come…like chocolate and peanut butter only not as good. Initially this did not seem like a bad thing. In fact, I happen to believe it was necessary in small scale to aid in jump starting awareness. I am proud to be personally acquainted with the primary architect of the original draft of the first PCI standard and know where his mindset was when he drafted it. I know his intentions were pure with respect to this standard. Furthermore, I also know that he did and does not believe the PCI DSS to be a legitimate replacement for sound risk management practice but rather a starting point for many organizations, which had no bearing point. Fair enough. I think we can all accept that, at least those of us who are intellectually honest. What happened? Why all the hub-bub? How did something which started out with solid intentions turn into this new and creative form of audit water torture which often yields little in the way of sound risk posture aside from gaining PCI accreditation…for what that is worth…I’m guessing the folks at Hannaford Supermarkets, Heartland Payments and Choicepoint (parts I & II) know what I’m talking about.
The PCI Standards are easily had these days as are lists of authorized assessors however, just because they are easily had (both the ‘standard’ and the assessors) does not mean they are effective. In many respects, PCI reminds me of the early days of HIPAA, the difference being that with PCI people actually being penalized for failing to comply. Sort of a novel idea really however I believe that that regulatory and auditing criteria (standards) – important as they are, in and of themselves do not meet the needs of enterprises small and large; private or public in our world today. What can meet these needs? (cue drum roll): Well designed business centric risk management security programs and frameworks. Are they trivial? No. No, they are not. However, neither is PCI, or HIPAA for that matter and whereas both PCI and HIPAA fall into the Sisyphean category in my view of the world, Risk Management does not, additionally, if undertaken risk management initiatives will provide an enterprise with a wealth of information which PCI never would (sorry guys), not on its best day. So the question (or one of them anyway), becomes: Why continue to divert time, effort, resources (personnel and budget), into something so one dimensional when a properly designed risk management based security program can address these and every other regulatory and compliance concern you’re presented with. The bit gods must be crazy…let’s read on.
I believe that the only way to rescue the hearts and minds (and ledger books!) of those responsible for budgets within industry is through demonstration of the intrinsic value of risk management (e.g. enterprise risk management, fiduciary risk management and information security risk management working in concert). This demonstration must be ubiquitous and comprehensive in scope to the enterprise in question touching all areas of the business: customers, business partners, P&L, revenue streams, brand preservation etc. This is something that I feel passionately about as do others within our industry. The fact is that as times and circumstances change (for better or worse), so too will budgets (for better or worse), and if initiatives such as PCI are not reconsidered (given the current volume of spend being seen as a direct result of meeting or achieving compliance with the standard) — in both scope and value, we may very well run the risk of encouraging and incurring new and previously unforeseen risk via new threat vectors previously not considered nor addressable due to a lack of budget (capital or operational), for investment in innovative technologies, processes and people.
Icarus and Daedalus
And Icarus, having been overcome by the experience of flight, neglected the warnings and instructions of his father. He flew ever higher towards the sun, ignoring the fact that the wax holding his wings together was melting until it could be ignored no more. With arms flailing in a vain attempt to stay aloft, he fell to his death immortalized in myth for both his daring and foolishness. We live in a real world, one which if often less generous to those who are less inclined to pay attention to detail than to those who do so with a greater degree of vigilance. Daedalus knew this and tried to stress this to his son as they attempted their escape from the Island of Crete. Daedalus attempted to stress situational awareness to his son. Cautioning Icarus on the dangers of flying to high toward the sun or too low towards the sea, his purpose was pure and execution sound. Regardless Icarus did not heed the warning he received.
As the myth suggests the experience of flight was simply too much Icarus and regardless of Daedalus’ familiarity with risk management, Icarus chose his own path. He paid with his life, what greater could be paid?
Our world is no less dangerous than that of Icarus and Daedalus. Sure, most of us are not being held against our wills in a fortress in the Mediterranean Sea, but we are faced with threats daily whether we realize it or not. It’s a real world and because it is real it requires commensurate levels of awareness and activity to mitigate these threats. Attention to detail as Icarus discovered, can mean the difference between life and death In our world it can mean the difference between large scale data loss and extrusion via the compromise of critical assets or the prevention of such occurrences. Daedalus knew this and as such his approach was understandably different than that of his son’s. Did he face threats? Of course he did! In deciding to use his wings ro fly between the Sky and Sea, he decided upon an assumed level of risk. He demonstrated the appropriate level of situational awareness and as such arrived at his final destination. The story of Icarus and Daedalus is the story of each and every one of us. At any and every moment we are faced with vulnerabilities, threats leading to their potential exploitation and the levels of risk produced as a result.
Management of risk is essential to our survival in both business and our personal lives (and in some cases greatly influences the balance between life and death). It is both an art and a science; a philosophical as well as pragmatic endeavor. It requires situational awareness and the ability to (at times in an exhaustive manner), apply qualitative and quantitative analysis to a given set of inputs in order to arrive at a conclusion with respect to a situation / organizations posture at a given time. In many respects I believe that the industry has sacrificed risk management at the alter of compliance hoping against hope that in taking that path all threats would be mitigated and an acceptable level of risk would be arrived at. This is an infantile and dangerous approach to take when one has been tasked with ensuring the risk posture of themselves, their community, their place of business and their nation.
My background is heavily entrenched in risk management. As a consultant working with Fortune 500 to 10 organizations I and my peers had for years preached with an evangelical fervor on the importance of approaching risk management in a holistic manner. The goal being total accountability for all aspects of a given organization (physical, logical, financial etc.) In order to establish total asset valuation (for tangible and intangibles) and subsequent degrees of associated risk and maturity. Risk management is a non-trivial endeavor. To assert otherwise would be both irresponsible and unethical. The threat landscape is growing at a rate which cannot be ignored and the potential impact of not being prepared could result in Icarian ends. Its time for the industry and security professionals everywhere to re-evaluate their feelings and opinions about risk management and focus on what matters most in both the short term and long term. Icarian or Daedalian, which path will do you find yourself on? If you answered Daedalian I congratulate and salute you; keep it up and encourage others to do the same. If you answered Icarian there is still time to adjust your course before reaching disastrous ends.
