Disruption to business from systems change, outage or control is now seen as more of an issue than the risk of compromise
In some respects, the information or cyber security arena is entering its third age.
In the beginning it was the unknown and unexpected threat, the emerging challenge that we all faced but few understood.
Next came the age of cyber awareness.
The risk became more mainstream and we began to see boardrooms discussing and understanding the risks our people, systems and data faced. We were mobilised and the security industry boomed.
This, the third age however is where we face the reality of the challenge ahead of us and more importantly, the reality of how we react when faced with big, hard problems that require sustained change.
About a bug
In recent weeks, a vulnerability in the Zoom video chat platform made frontpage news (for a certain set of tech and business focused publications). A relatively simple vulnerability had been identified in the popular tool that could lead to the execution of malicious code on your laptop.
What’s more, the researchers found that uninstalling Zoom did not in fact fix the problem. The vulnerable code was not removed and now the update required could not be installed. The default response of remove the tool was not helping anyone.
While this bug was interesting, what was more interesting was what happened to the usage of Zoom, or more specifically what didn’t happen.
Life went on.
Has confidentiality loss become acceptable?
Security teams sent out notifications and ran through well trodden incident response playbooks. The bug was discussed and evaluated and eventually Apple took matters into their own hands and disabled the rogue functionality themselves.
We didn’t see a wave of organisations abandoning Zoom. We didn’t see a massive surge in emergency platform changes.
The reality is, software vulnerabilities are now almost expected and for most organisations, the cost of replacing a core system massively outweighs the benefit. Removing Zoom from the corporate tool suite was not an option. A strange form of security nihilism is emerging and it will only get worse.
Dunning-Kruger and the battle of motivations
We have moved from being unaware of the risk we face in the first age of security, to becoming aware but not knowing what to do in the second.
Now, as we enter the 3rd age of security, we have arrived in the Dunning-Kruger of security maturity. We are aware of the risk but are choosing not to act.
So what has driven this change? Are we safer now than before or has the risk gone away?
Perhaps the answer is closer to home.
Our motivations are conflicting so violently that our desire to improve security and reduce risk is unable to overcome our motivation to keep the ship moving. Disruption to business from systems change, outage or control is now seen as more of an issue than the risk of compromise.
In effect, availability has overcome confidentiality and integrity to be the leading risk for many organisations. So does this mean we don’t care about keeping our data safe anymore?
Availability has overcome confidentiality and integrity to be the leading risk for many organisations. So does this mean we don’t care about keeping our data safe anymore?
Has confidentiality loss become acceptable?
Unlikely and given the recent ICO statements of intent published for upcoming GDPR investigations into BA and more recently a Dutch hospital, the confidentiality debate will no doubt roar into life again.
But this debate doesn’t come from concern for data, it comes from the concern that GDPR issues result in large fines and large fines are bad for business.
This isn’t new behaviour. Science has told us for over 20 years that humans live longer and suffer from less serious medical conditions when they eat a healthy diet and exercise regularly. Yet, as a population, we are yet to see those behavioural changes that will literally let us live longer.
The current climate emergencies being declared globally are based on decades of scientific research and yet, when faced with the conflicting motivations of profit and convenience versus behavioural and systematic change, the results are equally disheartening.
Without direct, personal consequence, we will not act
The drive from more efficient, highly available systems is unlikely to slow down soon. As an industry we have to understand how our motivation to address risk is conflicting with the unending drive for profit, innovation and growth. It’s unlikely that our current methods of risk management and defense will over overcome this conflict of motivation.
GDPR has shown us that financial implications such as fines will get the wheels moving and make change. Conversations in the insurance community lead us to believe that the age of software liability will follow shortly after - holding the producers and maintainers of technology systems responsible for breaches in a legal and financial sense.
Perhaps our security stagnation is no longer an awareness problem but a very human problem - overcoming our competing motivations and putting the needs of the greater good before our own. A problem that is going to require an external penalty rather waiting for a cultural shift.
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.