I was reading a blog post from the Cloud Security Alliance (here) about the on-going mess and disinformation around Equifax’s security breach.
The article makes a very good point. Sadly Security is seen as just a cost, and whilst people have that mindset we will see decisions being made that favours ‘high share value now’ over long time assurance of sensitive data which means that ‘now value doesnt nose dive’.
The article goes on to show the approximate cost to the US public of the breach. But if we can quantify the costs, can we not quantify the value of protection?
Even with today’s legislation in many countries it is a legal obligation to disclose the details of a security breach. The only problem here, is ignorance is bliss, if I don’t know I’m being compromised then nothing to report. The blog post also points out that often the only time security investment is recognised is, and often that information doesn’t propergate within an organisation. This got me to thinking why can’t companies also disclose how many attempts on their security have been mitigated on in the same way companies have to declare profit and loss.
It could produce some interesting information, as you could compare data from different companies of similar profile. When plotting the data, any outliers suggest something maybe wrong. But it would give consumers a means to decide do they trust their data with X over Y when they get a chance to influence the decision. But we’re now moving into the territory where security is becoming a positive measure. If nothing else it may engender an ‘arms war’ of who has the best protection.
As with all things, they way you measure something influences behaviour. This sort of measurement may encourage companies to invest in more ‘white hat’ attacks. That’s no bad thing as if a white hat attack suceeds – the vulnerability has been found.
The interesting thing is that, the article points out that Equifax and other large companies that have been breached have been certified as ISO 9001 compliant, PCI DSS compliant and so on. The issue here is, that these accreditations have a strong emphasis on process and policy, and are down to the auditor spotting non-compliance. In a large organisation the opportunity to steer the auditor towards what is good exists. But more importantly, process requires people to know and follow it. Following process and being prepared to uphold the processes requires an organizational culture that genders its adherence. I can have a rulebook as big as the Encyclopedia Britannica but if my boss, and his boss apply constant pressure to say we have to deliver and there is no repercutions to bending the rules – well then I’m going to start bending.
Leaders like Gray understand the value of an organization’s culture. This can be defined as the set of deeply embedded, self-reinforcing behaviors, beliefs, and mind-sets that determine “how we do things around here.” People within an organizational culture share a tacit understanding of the way the world works, their place in it, the informal and formal dimensions of their workplace, and the value of their actions. Though it seems intangible, the culture has a substantial influence on everyday actions and on performance.
This brings us back to the idea – hard data on the execution (not that i have a process for execution) will give strong indications of compliance. This kind of data is difficult to fudge and with a good sample set, then fudges are more likely to stand out.
Practical? I don’t know, but worth exploring? If we are to change security thinking then yes.