A Post-Compliant World? Part 3
The second piece of this series considered current difficulties of ongoing infosec assurance efforts. Now let’s now turn to how things could look in the near future.
A Sea Change in Public Services
The IT revolution has quickly – but quietly – undermined long-held ways of providing customer services. Over the past twenty years, a familiar model of offices providing counter-based services has been succeeded by a mix of online services and telephone enquiry filters (e.g., those never-popular “press x for y” prompts). On the whole, this has led to quicker and more accessible services that are more efficient and much cheaper: less waiting (and travel) time for customers and fewer business premises and employees for providers to have to pay for.
This shift to greater efficiency has only increased pressure to automate. But while increased personal technology has provided more opportunities for people to reach out to a greater range of services, the risks of data loss have risen. Customers have not yet adjusted to this new reality: expensive and remote as they were, counter services enabled customers to entrust their information to individuals. But developments in networking and personal technology have eroded the physical security provided by fixed premises.
Assurance methods predicated on restricting access and data management are continually undermined by changing technologies. Accepted ways of doing things are shifting constantly through demand for what new technology makes the “new normal.”
What is normal outside of corporate shells is also increasingly the expectation inside of organizations.
This continues to challenge infosec assurance models. Like one of those shape-shifting beings of fantasy, the infosec countermeasures are found wanting as the out-of-control science experiment morphs and changes. Take, for example, Bring Your Own Device (BYOD).
BYOD: Balk Your Obligations/Duties?
While BYOD certainly brought flexibility, it did nothing to teach personal accountability. Consider this choice of acronym to describe the convenience of using your own device for work: doesn’t the word “bring” imply that you might expect to use your device inside of a trusted environment (e.g., a corporation) and benefit from that environment’s protective measures?
When the phrase first appeared over a decade back, I recall that in the race to use newly-acquired personal devices for corporate purposes (especially just after the Christmas holiday period), security was an afterthought.
Internet of Things (IoT) – A New Frontline
As if BYOD were not enough of a challenge for infosec assurance people, the continued growth of the Internet itself has led to an explosion of innovation that has left security behind. As the Internet has grown beyond personal computing devices into support everyday household items and processes, the public’s enthusiastic reliance on Internet-supported services is undimmed by security concerns. Meanwhile, manufacturers and developers of these new services continue to be driven by the need to just keep their products moving.[1]
The Personal Challenge
What ways are there of ensuring compliance in a world where individual responsibility for security, at work and at home, is constantly undermined by technological advances?
Personal computing is probably the biggest challenge to government and corporate attempts to protect data. Is there more that can be done to ensure users of corporate data take responsibility whenever this data is lost or stolen through their own actions or use of their own devices? Clearly, there’s a need for better ground-level understanding of the linkages between personal action and corporate loss (including reputational loss).
In future, I believe there should be a shift towards personal responsibility for infosec.
Over the past decade, there has been a move towards organizations self-assessing their infosec maturity, using tools (examples include the C-CERT Cyber Resilience Review (CRR).[2] Some of these are free, though they also look at different things and may or may not require outside help to operate. The intention is to allow organizations to be better positioned for more formal audits, including those required by outside bodies (e.g. a business organization that needs to comply with an industry code; an organization seeking ISO 27001 certification).
I welcome this shift in emphasis from hopeless attempts to ensure rules are complied with towards being ready for the (inevitable) times when security just fails, or when individuals (at whatever level) break the rules. Below, I’ve highlighted some particular areas where I believe changes could help our efforts to ensure the implementation of more effective approaches to infosec assurance. I’d be very happy to hear what you think of these!
Contracts
These should be drafted to hold workers (at all levels) more accountable for how they use devices and data. Work contracts will, of course, need to comply with all applicable laws and regulations. No employer will want to see their carefully-honed policies on proper use being thrown out by a lower court.
Education
Users of IT need to be reminded constantly of their responsibilities, where necessary leading to periodic infosec training and testing (preferably automated, but always monitored.) To do this, there has to be a move away from technical explanation to everyday language, particularly when describing basic risk management in the simplest, most effective terms.
To use an analogy: People who use fire do not need to know the science of why fire can be disastrous. Yet they do need effective codes help them deploy fire safely. We’ll always need a fire service, and we’ll always need assurance experts. We don’t expect these experts to stop us from doing things or teach a college-level course on the science of the subject, but we do expect them to help inform us about how to stay safe.[3]
“Driving” Licenses
Organizations might require a basic level of understanding for their employees that can be tested and certified. Certifications are never forever, though: they need to be developed and maintained by a certifying body. Readers will have differing views on the extent to which government(s) should be involved in any of that. But since infosec health is ultimately a matter of national security, some government-level involvement must be necessary.
Learning
Mistakes are always food for improvement, and infosec is no exception. Learning and applying the mistakes of others is always preferable, and effective monitoring of industry news on infosec lessons learned (perhaps through membership of Infragard[4]) is a must.
Keeping Ahead of the Game
If infosec people could choose to hold back change, then we probably would. It would make our work much easier! In reality, we have to keep a lookout for future trends to anticipate how compliance and assurance might work with new services and systems. We have to have to develop methods that are not chained to current rules and regulations (as I have said, technological change can quickly sweep these away). We need to position ourselves alongside technologists to work with them as change comes, to ensure accountability is maintained through a well-rounded mix of training, legal adjustment and, where absolutely necessary, technical tweaking (on the understanding that can be the most labor-intensive solution of all).
This is a difficult approach, since infosec people will usually major in one particular area while having a tenuous understanding (at best) of its other parts. It is difficult to get this balance right, but more needs to be done to ensure basic understanding between each of the infosec team divisions: tech, policy, legal and audit. Others may argue about these four, and you will have your own views, based upon your own experiences! For example, I would define myself as policy/legal person, majoring in infosec education and with a basic grasp of technology.
Legal Frameworks
Some older laws and rules touching on infosec at a federal level probably need to be amended or repealed, with new ones introduced. As information services develop, rules and laws need to be kept relevant and need to be supported by codes and frameworks that effectively help compliance. Looking to the future, international treaties on the passage and storage of information in cyberspace should be developed that will protect national governments and their constituents on the “sea” of information that is cyberspace.
Conclusion
In the future of security assurance, I believe there has to be an increased emphasis on personal responsibility for IT use. There should also be effective infosec monitoring of new innovations that can be quickly converted into meaningful, everyday guidance to users. We need to ensure that all significant new developments in technology are diligently monitored so that the threats and vulnerabilities they bring with them are understood by stakeholders and by lawmakers. We need to ensure that existing frameworks and rulesets are not left behind in the rush to innovate, but are altered or, if necessary, withdrawn.
Finally, we need to remember that whatever mix of measures we introduce must counter the creation of unmanaged technologies, the existence of which could threaten our future peace and prosperity.
[1] Quoting Larry John (Analytic Services) at a presentation to ISSA on IoT, September 2015. At that presentation, Tom Klein (Certified Security Solutions) pointed out that 80% of IoT devices of that time (i.e., around three years ago) needed no password authentication!
[2] See us-cert.gov/ccubedvp/assessments
[3] The NCSA/APWG STOP.THINK.CONNECT ™ programs do this very effectively – see stopthinkconnect.org/about
What should you learn next?
[4] Infragard is a non-profit public-private partnership between U.S. businesses and the FBI. See infragard.org