This article was originally pubished by SecurityWeek.
“Sentimental music has this great way of taking you back somewhere at the same time that it takes you forward, so you feel nostalgic and hopeful all at the same time.”
—Nick Hornby, High Fidelity
Certain movies have a way of helping you frame a set of experiences, a period of time of your life. It creates a metaphoric, reflexive pattern for how to process and communicate conclusions you draw in your life. Now that we are coming up on the second “year of the hack”—who said good things only come around once, right?—I thought one of my favorite movies, High Fidelity, based on the Nick Hornby novel of the same name. One of the key leitmotifs is the movie is the top 5 playlists that pervade the film. Here is mine for the end of 2015
1. “What came first, the music or the misery?”
Since the first days of computers, we have been worried about protecting electronic communications and data. As information transitioned from paper to bits, the ability to move or misappropriate data became apparent. Hence, the security industry was born. After we moved from mainframe computing to client server, security became its own silo, a separate discipline in computing
What if security was built into the application and computing cycle and not bolted on afterwards? Would we have fewer incidents and less pain?
2. “I don’t even feel as if I’m the center of my own world, so how am I supposed to feel as though I’m the center of anyone else’s?”
For the longest time, the role of the security team—and its pinnacle in larger organizations, the Chief Information Security Officer—was perceived as a form of pesky oversight, an inhibitor to getting things done. Many hard-working security professionals are still considered a separate silo and not a core part of the application and infrastructure teams.
What if security was invited to the application development and DevOps party from the start? Would they be able to help development teams innovate faster and be more secure?
3. “What went wrong? Nothing and everything.”
One of the things we learned over the past year is when something bad happens, when an environment gets breached and data is stolen, it can happen very quickly and the damage can be severe. The sheer size and scope of breaches such as the ones that impacted Target and OPM were in the tens of millions of records stolen. Moreover, the time to discovery went from days to weeks to moments.
What if breaches were discovered shortly after they occurred? What if they were confined to smaller, more compartmentalized data segments? What if reducing the blast radius was as important as detecting bad actors?
4. “I’m thinking: am I supposed to fight, and what do I fight with, and whom am I fighting?”
For information security and other IT groups to increase the enterprise focus on security, there needs to be an enormous mind shift across technical and business management on working together rather being at cross purposes on information security. Moreover, The asymmetry between the bad actors and the defenders in today’s cybersecurity battles raises many questions about how organizations can best prepare to deal with hackers—whether they should do it alone or work with others in their industry and the government.
What if IT and business leaders had common goals regarding cybersecurity? What if they were paid (e.g., bonus, salary increases) based on protecting core information assets? And what if there were well-established industry groups and government entities for both information sharing and best practices?
5. “I have made myself more complicated than I really am.”
The surging complexity security faces—lots of non-coordinated point systems, thousands, even hundreds of thousands of rules and policies —has not only led to challenges in building applications, it created a herculean of task of understanding and protecting data assets. The avalanche of new security vendors as well as the proposed palliatives of infrastructure vendors that recommend upgrade cycles as the path to better cybersecurity actually work against the best interests of IT and security teams.
What if you were able to simplify your security? What if you did not not have to touch your applications or infrastructure to maintain and enhance your security posture?
Happy and cyber secure holidays to you all.