IN the old days, when you wanted to stay ahead of the curve you either went to the library or the bookstore, with the latter being the cheaper alternative. You relied on the newspapers, radio and TV for current events. It was a tad difficult and required some effort but the information was consistently coming from the same reliable sources – everything gets edited and checked at some stage before the final product is released, printed or broadcast. There is some semblance of sanity and orderliness and if ever there were some errors in the facts, or lapses in judgment, it was easy to spot and get a quick erratum and a public apology.
Growing up in the CRT (cathode ray tube) era and now growing old in the digital age is quite a trip. An avalanche of technological explosions happening right before your very eyes.I’m in the field that is core to most of these advances – information technology, and I can’t even begin to start to tell you at how it grew by leaps and bounds. There was so much development happening in one lifetime – from floppy disks to hard disks to solid state drives, CRT to LCD to LEDS, mainframes to minis to PCs, 300 bps modems to 10 mbps DSL, BBS (bulletin board systems) to the World Wide Web. It is truly nothing short of amazing.
And to think that LEDs to me before were just cute little flashing lights.
A younger IT guy just last week asked me “What is a floppy”? I don’t know if it was out of jest but being the “has been” that I am, I told him. “It’s something you get when you want to make love but suffer a ‘failure to launch’. That shut him up really quickly.
There is such a thing as too much though, because as both the quantity of technology and information multiply, proportionally so does the choices. From this abundant source, the degree of difficulty to discern what is real or not, what is useful and practical or merely nice to have increases as well. We all have been witness to the growing oversupply of news from the Internet and this excess is now being used to cloud our better judgment, working more on numbers and influence rather than facts. That, however, is another story.
In IT and information security, there is also an abundance of prescriptions on how to establish your security posture. Although all of them are acceptable, it becomes challenging for the information security officer of the organization to implement them because of the sheer number of options. Here are some examples:
• International Standards Organization (ISO) –families of standards for information security management systems, code of practice for information security, disaster recovery and business continuity and a lot more;
• National Institute of Standards and Technology (NIST) – has several guidelines for cybersecurity and controls for systems, organizations and critical infrastructure and others;
• Payment Card Industry Data Security Standards (PCI-DSS) – specific and proprietary prescriptions from some of the major credit card companies to be implemented for organizations accepting card payments;
• Health Insurance Portability and Accountability Act (HIPAA) – has the “security rule,” the security standards for the protection of electronic protected health information.
As you probablyhave surmised from the above listing, what you implement could well be defined by the industry you are in and most often because you need to be compliant with a particular standard or guideline that is accepted as best practice for your type of organization. This would be the safe choice and as good citizens of the industry you belong to, it is not only wise but prudent to go with what is prescribed by your peers.
Here’s the rub. All of these take time. It is a whole slew of requirements that are combinations of processes, policies and technical controls. This is ideal for computing environments that have the luxury of time or one that has a very low probability of attack. Sure, maybe 10 years ago, but today that is just wishful thinking. Just like anything else in life, you have to take the good with the bad and along with the huge progress on innovation and ingenuity of technology, comes the ever-increasing sophistication of attacks. Don’t get me wrong, go for compliance; that is a given and a solid foundation for your security readiness. But what if your CEO comes to you today having heard all the news about the devastation brought about by these recent cyberattacks, data leakages and security breaches and asks you – the guy in charge of protecting and creating that secure computing ecosystem – “What are we doing NOW to protect ourselves?” Throw him the security standard manual?
Times have changed dramatically—compliance must go on but an alternative roadmap which takes into account today’s current attacks and their mitigation should be a given. A parallel strategy for securing your vital information and IT assets must not only be considered but should be the norm. Implementation that is pragmatic and effective, and yet maps to the prescriptions of the industry standards that your organization subscribes to must exist.
This is the brave new world we live in today. We need more than a linear and sequential strategy, like parallel computing and multi-threading computing. Else, you will have a security posture akin to the ‘floppy’. Soft and useless.