I’ve recently saw an analogy that relates the Cloud to a bank, the analogy made sense when I first looked at it as it stated that the safety of your money relied on the security of your PIN. As I began to consider this further, I realised that this analogy needed further development, and could then relate to the current state of ‘security’ as we understand it.
You see, we trust the banks; indeed our paper money is based on a promise to pay the person who holds the bit of paper from a trusted authority (Bank in this case). This concept dates back to the Knights Templar and promissory notes, and holds for as long as the method used to transact could be trusted. The trust we had in the Templars is exactly the same as we have in the banking system, that is to say it’s a blind faith in the infrastructure based on reputation.
How does this relate to my important thing to crack over the next year? My important thing to crack is to realise that the blind faith that we have in security is as foolhardy as the blind faith we have in our money being safe within the banking sector.
This isn’t a political statement; but just as the banking industry is based on the old teller model, so is our security industry based on the security principles that assume a similar context. Both models have proven to be unsuccessful at protecting assets since the dawn of Web 2.0, as can be shown if you are subject to fraud on your account; the bank simply accepts that fraud can occur and pays out rather than create the systems to protect your money when the transaction is no longer conducted within the bank itself.
We need to understand that in order to evolve into a business function, the security industry has to move towards understanding the information asset; this necessitates a move beyond the protection, toward the accuracy and availability which provides business value. All three attributes are at odds with each other, but we can no longer assume that security exists in any context.
In order to evolve beyond our current state, we need simply understand two immutable facts; a control is rarely a solution in isolation, and controls to a defined risk rarely result in the spate of fines that have driven the focus towards compliance risk management.
Once we realise that a state of security is no longer achievable, and instead undertake the risk management for information assets that is required within the current information society, real progress can be achieved.