There has been a continued dialogue in IT security over the priorities between business ability/flexibility and security. The general consensus, from college courses and instructors to private sector CIOs, and crypto-gods like Bruce Schneier, is that security should always follow after business opportunity.
That is fine. That is what we call a hypothesis or conjecture, because it is a statement without facts and evidence, or even experiments, to back it up. And until recently I bought into it as well.
But no longer. This change came about from reading articles supposedly demonstrating the above conjecture through…..a poll. Yes. You read that right. A single poll was touted by security god and generally more critical thinker Bruce Schneier as demonstrating the proof of his opinion. Let’s drop those links for you to look at.
This is the first appearance of his post.
This is the most recent one and the one that triggered my thoughts.
This link deals with the original poll and article
So let’s examine the claims.
“This article demonstrates that security is less important than functionality.”
(Referencing the balabit.com link at the end of the article)
Did you even read the article? It took an informal poll of people generally dealing with IT security and/or budgets, gave them a question requiring a yes or no answer, without reference to numbers, metrics, or studies that make this poll anything other than an opinion poll, and then regurgitated those numbers back at us, as if they mean anything.
Now let us be clear. An opinion poll can prove that vanilla or chocolate is America’s favorite ice cream flavor, but opinion polls cannot, by design, prove anything that is outside of opinions. Like the coefficient of friction. Or gravity. An opinion poll of scientists does not prove anything other than, X amount of Y believe Z, or not.
But Mr. Schneier does not use the word ‘prove’, he uses the word ‘demonstrate’. I believe my disagreement stands with whatever word you wish to use, what this poll shows is the prevailing attitudes of the 800+ IT personnel and executive personnel interviewed with a flawed question that badly frames the wrong argument. So, because I do not trust the reader has gone and read the article about the original poll, let’s document it inline.
“When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility.
“But…(irrational thought process and wording removed) when the same people were asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life, 69 percent of respondents say they would take the risk.”
First of all, what is “the biggest deal of their life” and how does that scenario apply to the real word conundrum stated above, business flexibility stands above security? This is a weasel word, a completely subjective griffin of a concept that can in no way be formally quantified for proper dissection. We need numbers.
Second of all, what is ‘a security risk’? That runs the gamut from…nothing to everything! It is not a useful phrase to give me anything other than what I, from my own personal experience, can read into it, and therefore, numbers derived from it mean nothing. That is not a demonstration of anything valuable, and certainly do not demonstrate any proof of a guiding principle outside of prevailing attitudes.
I’d like to point out that the vast majority of business decision conflicts with security are not a “biggest deal of our lives” versus “security breach.” That makes the scenario less than favorable for getting any real subjective data out of it, so we can all take a look and decide for ourselves. And by less than favorable, I mean it is an incorrect model to look at, think of, or poll people for, and will create false results if you treat it otherwise.
If I had wanted to find out how humane or compassionate people are, I wouldn’t dream up a scenario with Mother Theresa and Adolf Hitler and poll people on that, it doesn’t inform on the subject at hand, which is always real people, real world problems, real world solutions. And neither does this poll question.
However, that is ok, because what I now think and believe, is that myself, Bruce Schneier, and most of the security community have been looking at this the wrong way, brainwashed by decades of prior belief, and absolutely zero research and proof. That is a big statement to make, so let’s get into why I believe this.
First of all, the idea that a business is the one that suffers a breach isn’t exactly true. I know, Sony clearly suffered a hack two years ago, Experian this year, and Target…often as well. So what can I mean by businesses and organizations do not suffer breaches?
Well, who is doing the hacking, what are they after, and how are they going about getting it?
The vast majority of attacks are done, nowadays, by professional criminal gangs, for the express purpose of monetary gain through identity theft, medical record theft, credit card fraud, etc. On the flipside, corporate and government espionage does exist, but the idea that the most common and realistic scenarios of security breaches are from people seeking secret or unique intellectual property like software pirates and government contractor attacks, is dishonest at best. The truth is that the customer data is the gold at the end of the rainbow, not the companies’ info, for the vast majority of attackers and victims.
So here is where we have to split hairs. You, as the business owner, may think the personally identifiable information you have on your customers’ is yours, but the truth is, it isn’t. That security breach at Experian I mentioned? Yeah, that outed 1 out of every 3 Americans financial data, and that wasn’t even the first time Experian did that. Over 100 million Americans affected, having to watch their credit reports for fraud and fight the charges when they occur over their entire lifetime and we say the company suffered the breach? That doesn’t fit at all with the reality. Experian didn’t lose their data, they lost my data. They lost your data. His data. And while Experian gave those customers’ a subscription to identity theft products, which have no good track record and some famous ones have been sued for failing at it, once your Social Security Number is leaked to malicious actors, it stays there forever, waiting to be resold to another botnet or scammer or what have you. 20 years from now, those 100 million Americans’ information will still be floating around, while Experian merely wrote off the expense of a Lifelock-esque product for those customers over a 3-5 year span, and probably passed the cost back onto the customers, who were the ones originally affected to begin with.
I do agree, Experian is only one example and thus cannot be indicative of a greater trend without more examples, but if we look at the maths, and I welcome any who have already done that legwork for us, I believe customer data is overwhelmingly the most common target of hackers and hacks, and that problem is most keenly felt by the customers of attacked companies, not the company itself.
So that is the problem. Business owners only see their own financial loss or gain when the fact is, those numbers are the tip of the iceberg for effects from security breaches.
To me, it is like buying a brand new door, coming home the next day to find it busted in and your home and effects burned to the ground, only to hear on the radio how the door company is bemoaning the loss of their door, fully ignoring the fact that the vast majority of misery or suffering created by the issue/crime was not suffered by the stockholders whatsoever, but by the customer using the product.
So of course, if this is MY data, and this is the biggest deal of my life, I’d take that risk, but that is never the issue, or at least, is such a rare magical instance I wonder why it wasn’t included as part of a BUZZFEED QUIZ, versus a legitimate web source for IT info.
See, this is how you can frame an argument badly and completely lead everyone astray from the facts and problems. It is a problem that can not only occur out of maliciousness but out of ignorance.
The real question for these CIOs CISOs etc. is, since the numbers currently available say the average cost of identity theft per victim is $1,500.00 USD, how much will your business deal make you, versus what it could potentially cost your customers, how much does it need to make before it is worth the potential loss of customers’ data, and would you want those metrics, once created, to be made public? What kind of fallout would you expect from those revelations, if any, and would you use a publicly available risk-benefit metric made on your company by an impartial third party judge or company as a selling point against your competitors if you are found to take less risk with their data for more reward than they do?
Oh, and, why didn’t anyone else think of this already? I cannot be the first.