By Martin Smith
Sir Arthur Conan Doyle's short story "Silver Blaze" focuses on the disappearance of a racehorse on the eve of an important race and on the apparent murder of its trainer. The case is solved by the famed "curious incident of the dog in the night-time". By its silence, the dog had inadvertently revealed that the villain was someone it knew. There is a modern parallel to this Victorian fiction, and lessons that can be learned from it by the security industry today.
The recent leak of a million classified military and diplomatic documents to the Wikileaks website should have rocked the security industry to its very core, but the ensuing silence has been deafening. There is a widespread reticence to engage in a debate about this and other similar data breaches – or “leaks” as they are often more expediently labeled - over the past few years. Like the dog that didn’t bark our silence has revealed a number of villains lurking in the background that, if we are honest, we already know.
The story is well reported. Apparently, a junior serviceman with unrestricted access to a vast source of confidential information, working unsupervised, was able it is alleged to copy the classified data in vast amounts onto his Lady Gaga CD. The subsequent storm about the route to and nature of its publication in the public domain has rather clouded the issue here – that this would appear to be a breach of trust not of security and as such an individual undermined fundamentally the entire protective regime that was in place. By his actions a single trusted employee apparently rendered worthless every penny spent on every technical, physical and procedural control laboriously installed and maintained within arguably one of the most sensitive environments imaginable. That the compromise was not worse is simply due to the voluntary redaction by those who released it of the most sensitive data; the damage could have been much greater but if it could happen here then it could happen anywhere.
But blame has a habit of lying where it falls. If only, it could be said, the serviceman had been better supervised…if only his discontent and disillusion had been picked up earlier, or if only someone had noticed the several worrying early warning signs of his disregard for security…if only someone had realised that the employee felt isolated, ignored and unappreciated at work…if only he hadn’t been given so much access without restrictions to so much sensitive information...if only there had been some old-fashioned dual controls in place…if only his colleagues had been more security aware themselves, and had known what to look out for and to whom they should report their misgivings…if only the physical and logical controls in place had been more rigorously enforced…
Security breaches, like accidents, are rarely caused by a single catastrophic failure; one is less likely to be killed by an alligator than nibbled to death by a thousand chickens. Most often a disaster is created by the breakdown of several of the smaller links in the protective chain; prevent any one of those apparently insignificant links from failing and there’s a good chance you will save the day.
The elephant in the room
The tragedy is made worse by the fact that this was not an isolated incident. Less newsworthy but nevertheless harmful breaches of trust are reported daily in our newspapers and on the TV. Some are deliberate, many are inadvertent or accidental. The result is always the same – the Mark 1 Human Being, by virtue of its permitted access to premises, systems and data, is able to bypass all the worthy efforts of mankind to prevent unauthorised disclosure of classified information. In most organisations the “chair to keyboard interface” remains the greatest and continuing weakness in the entire protective regime, and one that we remain reluctant to recognise and tackle. The damage to the public’s confidence in the ability or enthusiasm of any organisation – public or private, large or small - to protect personal and financial data is creating an insidious lack of trust that percolates into every aspect of our personal and professional lives and undermines the entire e-economy.
Why has this not triggered a major re-evaluation of the approach to data protection at every level within every organisation in both the public and private sectors in every country around the world? That this will be a difficult and painful thing to do is not to be denied, but it is nevertheless essential. It is surprising that we as security professionals allow these low-tech incidents to occur? Even more remarkable is that our business masters, who pay our salaries and fund the massive investments in physical and IT security that we recommend, have not yet challenged us more about them? I suggest that inevitably they will.
This is our elephant in the room, the obvious truth that is being ignored and going unaddressed. It is the conspicuous problem no one wants to discuss. By pretending the elephant is not there we have chosen to concern ourselves with those issues we know about and are comfortable with, rather than deal with the looming big one that is perhaps outside our comfort zone.
Over the past couple of years there have emerged some encouraging signs that even the most ardent technologists are slowly recognising that the current focus and reliance upon a technical solution is not (on its own) solving our problems. But while the must-say phrases that now have to be spoken on the conference circuit, in the internal business case and in the consultant’s report include “the importance of awareness”, “the people factor” and “the human aspects of information security” the reality has yet to catch up. The genesis of our industry lies in various camps – most obviously the IT world on the one hand and the military/police/security services on the other. Our world remains fundamentally riven between the work of the CSO and the CISO, and each is most used to dealing with the tangible, the quantifiable, the physical and the definite. It remains understandably difficult for us to address the inexact sciences associated with human behavior and motivation, but address them we must. Then our task is not made easier by those we would normally turn for help. The developers and suppliers of security solutions naturally want to package their answers and sell them in bulk – addressing the human element takes time and hard work, there is no easy quick-fix, there is no shrink-wrapped solution, and there are no quick profits to be turned.
Security technology has been the bedrock of the information security industry and of course it is essential or our systems and networks would be unusable. But despite the vast sums of money spent, IT systems at all levels and within most organisations remain inherently vulnerable to even the most basic of security weaknesses and vulnerabilities caused by the intervention of the trusted individual. Because we have focused almost entirely on the technology and continue to develop increasingly complex technical solutions for arguably increasingly obscure problems, the accusation could be that we have become brain surgeons irrelevant to a patient dying of the common cold. There can be few who still disagree that the human aspects of security need to be promoted to their rightful place alongside the technical wizardry but there are strong forces opposing this. It remains a far from simple matter.
An opportunity for change
Let me declare my interest. I do not say all of this because of what I do; I do what I do because I believe all of this. It is no secret that for the past 20 years I have been expounding the need to address the human factors in security and that in my day job my modest company works with organisations to improve their security cultures and change the behaviour of their workforces. We all know that there can never be a guarantee of perfect security, but the professional carelessness underlying the incidents that are occurring more and more often should prompt us to look again at what we are doing and how we are doing it. I hope at least that my inadequate contribution will engender debate; I hope it will challenge our industry’s natural aversion to change.
So not surprisingly, I believe that it is our lack of focus on the people issues that is at the heart of our current vulnerabilities. Yet this need not be a bad thing. Ironically for most organisations this presents an opportunity to quickly and significantly reduce the resultant residual level of risk through simple and relatively inexpensive initiatives.
None of this needs to detract from our work so far. On the contrary, effort in this area will produce rapid improvements of value far in excess of any extra investment and that will enhance and support all our other activities from the perimeter fence and beyond right down into the source code. To lampoon yet another old saying, it only takes a ha’p’orth of tar to finish the boat. It takes only a gallon of oil to make the engine run smoothly. The missing piece in the jigsaw is small, but vital.
An opportunity for leadership
To realise this step, there is a need for a focus and leadership that is perhaps lacking at the moment. We must encourage involvement from the politicians, regulators and policy-makers. We must work as a team - our industry remains completely fragmented and there are deep gulfs between our various specialisations. We need to develop a variety of approaches that will better monitor, supervise and educate our employees, and encourage them to behave in the ways we want them to behave and support these ‘new’ behaviours. But perhaps most importantly of all we will need to get under the skins of our organisations and understand how we can persuade our business masters and our internal customers to care about what we do. These opportunities can be encapsulated in a single word – communication:
• As an industry we must learn to communicate more effectively between ourselves. The process of convergence must be championed at every opportunity. Silos must be brought down, budgets must be shared, effort must be coordinated and turf wars must end.
• As an industry we must learn to communicate more effectively with our businesses, and with all those other disciplines within our organisations whose help is essential to our work and success. We have to be driven not by doctrine or habit or convenience or tradition but by operational requirements and profit, and we need to be better recognised by all concerned as contributing to success.
• Last but by no means least, as an industry we must explain to our workforces what is expected of them in a language that is both relevant and understandable. We must develop a culture where our people become alert to risks and threats and have both the inclination and confidence to act appropriately when they have concerns. Then our inherently less-than-perfect technical, procedural and physical defences will always be bolstered by an army ready to act and aware of the importance of the fight.
Whomsoever comes forward with the courage to assume this mantle of leadership will quickly become the fulcrum of change, and stands to receive the recognition for the rapid improvements that are ours for the taking. There is no shortage of candidates; a plethora of professional bodies exist and are often replicated across the whole of the security industry landscape. There therefore exists an opportunity for leadership, and it will be fascinating to see whom, if anyone, steps up to the mark.
Martin Smith MBE FSyI,
Chairman The Security Company (International) Limited and the Security Awareness Special Interest Group
Find out more about The Security Company at - www.thesecurityco.com