Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile.
No less than Dan Geer has weighed in on the topic in a CSO contribution. He looks at it from the perspective of what the mid-sized company can do and what they can’t. By introducing the concept of a third party, which he calls a mentor, Dan is talking about helping an organization kickstart their security program and prioritize. Later, the mentor can move on to their next stop, when the organization is ready to do stand on its own.
Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself.
Basically Dan is calling for the mentor to take a snapshot of an organization and use their experience, methods, and analysis to help the organization prioritize what they should fix first.
This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement – the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product.
Dan is one of the big thinkers in the business, and he doesn’t talk much. But when he does, pay attention. As with any out of the box thinking, you can come up with a million reasons why something like this won’t work. But we should focus on how to make something like this happen; as technology advances (yes, Big Data) this kind of concept becomes more achievable.
The reality is that far too many organization don’t know what they don’t know. And until they do things aren’t going to get better.
Photo credit: “MSH0110-12 Squeeze Me” originally uploaded by f1uffster (Jeanie)