The Security Problem of C.Y.A.
A few years ago while working with a large utility, it was revealed that the protection against a cybersecurity attack was to build a redundant system. It needs to be noted that these systems are incredibly expensive and would be running the exact same software and connections as the main system. Thus if the original, insanely expensive, system was compromised and the backup system came online then it would, in all likelihood, be compromised as well.
When we raised this issue, the utility folks agreed that building the backup system really solved nothing and was essentially wasting money. When we asked about their backup-to-the-backup plan, they also admitted to having nothing in reserve. When we asked why they did not do anything about it, the answer was simple.
They could not be fired for doing what they were told despite how ignorant they felt the process might be in reality.
In separate discussions with a very large oil company, we again faced this issue – this time in regards to the notoriously hacked SSL/TLS security. This person readily admitted that running an SSL deployment (e.g. PKI) was a massive burden and would most likely get hacked in the near future. His response was very simple – he would never get fired for using an industry standard and he WOULD get fired in an instant for using some other option if that option were ever compromised – even if he agreed that the new solution was far superior and less likely to be hacked.
When we pushed him on this whole CYA nightmare, he pushed back and asked us “who is in charge of security anyway?”
And, traditionally, there has not been an easy answer.
The trouble has been a plethora of security options each devoted to one part of the overall digital security effort (with physical security being a separate challenge). People use certificates to authenticate devices/connections, LDAP (Active Directory) for authorization and user authentication and then some other form of encryption to safeguard data. Sometimes security is baked into applications, other times appliances are used – it is a mish mosh of solutions with more holes than swiss cheese.
No wonder nobody wants to be in charge.
System and network admins will complain that security actually prevents their tools from working properly. Product managers will focus on deadlines and how security needs to be “somebody else’s problem”. Executives point to CTO/CIO/CSO people who point to product managers who point to developers and then to sys/network admins.
And you thought the jumbled mess of possible solutions was an issue.
It is easy to state that security is a CYA issue with people doing the minimum to pass the buck elsewhere. The reality is that security itself is the culprit and is only going to get worse. The problem now is that the IoT is rapidly moving us from relatively small communities of a few hundred thousand connections to massive systems comprised of billions of devices. These new networks add a ton of fascinating levels of complexities and challenges that have to be addressed. Security needs to move from a highly-fragmented, manually implemented effort to a ubiquitous layer of protection. Nobody asks you to manually package up your data to send it from computer to computer – so why are you having to deal with protecting that data?
Once you have a single, transparent, security layer then you can delegate security to experts much like you delegate data to the cloud. No more pointing fingers, no more CYA causing business disruptions and issues.
At least for security.