While tales of governments snooping into our personal information persist in capturing media attention, the real story is the erosion of consumer confidence as 2014 shapes up to be another year of catastrophic data breaches.
Attacks against health care providers have also been on the rise, highlighted by the theft of approximately 4.5 million records from Community Health Systems, a Fortune 500 company and the largest non-urban provider of general hospital healthcare services in the United States. Even celebrities aren't exempt, as iCloud accounts belonging to prominent actors were hacked over Labor Day weekend with nude photos released and more offered for sale.
The fragility of information security has never been more apparent.
An information security services industry in crisis
The state of security is in existential crisis, with security professionals disillusioned and desperate for some progress in the uphill battle against attackers. Security vendors often tease us with solutions, but we are left waiting for that infamous Godot who never arrives. Compliance objectives, the dreaded checkbox, continue to drive purchases of traditional products, but even the money spent for those systems may begin to decrease as auditors realize many are worthless at actual prevention and offer limited detection capabilities. Information security can no longer depend upon that Maginot Line of basic security controls, hoping to keep attackers away from our most precious resources.
As for the recent spate of retail attacks, it's only a matter of time before lawmakers are forced to step in to placate voters. These breaches only point out how pointless the compliance process has become. Most organizations "game" the audit, instead of actually using requirements as a method for validating their controls. Security's dirty secret is how this cottage industry has developed without actually improving security.
Shifting rapidly to meet demands
Nassim Taleb, the statistician whose work focuses on randomness, asserts that structures improve when exposed to volatility and disorder. Shouldn't information security and the information security services market learn to shift rapidly in response to a constantly evolving threat landscape? The recent trend in security products, using graphing theory or data science to help identify anomalous events, seems promising in this regard. But existing vendors won't readily jump into this new market, except through acquisition of the disruptors. It's the innovator's dilemma: Security needs different products, but established companies have no interest in changing their existing economic models. They will not shift their product lines, because disruption doesn't keep the lights on or the company in business. A traditional intrusion detection system company has no interest in innovating away from using blacklisting and signatures, because its main revenue source is the signature business.
There's an evolution taking place within IT infrastructures, but security seems to be missing it. Traditional controls are no longer sufficient as infrastructures are commoditized through consumerization, networks become software-defined and are outsourced to the cloud. Security must address this by folding itself into vendor onboarding processes and operations. Those who work with the business to build solid applications and fix vulnerabilities will, in time, ultimately replace those ego-driven professionals who seem to think exposing or exploiting a vulnerability makes them successful.
Favoring the paranoid
Natural selection favors the paranoid; therefore, the ultimate goal is omniscience into events, coupled with high-speed response. We should also install layers of airbags into the infrastructure to soften those inevitable attacks. Success will come when security professionals behave more like epidemiologists, when our decisions are data driven and validated by scientific methods and not emotions or magical thinking. While traditional models are useful, they should be strengthened and standardized, with a focus on automating incident response. Taleb introduced the concept of antifragile, a state "beyond resilience or robustness," which can withstand disorder and randomness. Only the antifragile enterprise, the one that can withstand constant attacks and become self-healing, will be truly resilient.
Uncovering enterprise weak points
Best practices for breach reporting
Countering cloud breaches