It’s that time of the year again: When almost every tech writer and technologist with a blog shares their “end of the year” lists. We get opinions ranging from the best tech tools to the biggest industry failures and predictions for the next year. But I thought this might be a good opportunity to do something more constructive. I’d like to propose my 2014 New Year’s resolutions for information security.
2013 was a rough year for security pros, leaving reputations bloody and beaten. Between the awkward disclosures of Edward Snowden’s purloined NSA documents, to high-profile data breaches such as the compromised point-of-sale system at Target or user accounts from Adobe, holiday cheer is in short supply in information security.
As usual, passwords and user data seemed to be the biggest mark for bad guys, mostly because they’re still so easy to obtain. Seems like we’ve seen this all before. Why does every year in security feel like we’re watching a bad remake of a classic TV show, leaving us with that vague feeling of déjà vu? Maybe it’s because we complain about the same problems without committing to making changes necessary for improvement. Here are six resolutions for improving information security in 2014:
1. Ramp Up Encryption
Let’s collectively resolve to encrypt more data, at rest and in transit, while advocating for more usable and effective methods of managing the process. Whether the goal is protecting data from the NSA or members of some criminal underground, there doesn’t seem to be any question that encryption is one of the best ways to maintain confidentiality of information. The biggest barrier to the implementation of encryption still seems to balancing real privacy with ease of use, especially in email. Even with the difficulties, encrypting data seems to be a no-brainer, but I’m still horrified by stories of unencrypted data that’s been compromised. And if you can’t encrypt it, then remove or tokenize it. Can we pledge to treat all data as if it were our own?
2. End Check-Box Compliance
As for compliance initiatives, can we collectively admit that we’ve been tyrannized by the checkbox? It’s time to take back our architectures and start driving the process to build secure infrastructures. It means taking the initiative in a proactive process, instead of reacting to an auditor who doesn’t always understand the subtleties of various technologies. It also means finally admitting we can no longer afford to cut corners on critical documentation such as incident response plans, network diagrams or business and service technical catalogs.
3. Improve Communication
Can we agree that we need to start talking “to” instead of “at” our users? It’s time to retire our knee-jerk reaction to say “no” or any antiquated communication styles utilizing aggression and hostility towards our co-workers. It’s insulting and doesn’t accomplish anything. Let’s cultivate respectful methods of collaboration, which will encourage our user community to work with us as partners in security initiatives.
4. Cut The Buzzwords
How about those buzzwords? Can we agree to stop overusing terms such as "next-gen" and APT until we’ve reached a consensus on what they actually mean? If you’re just using the term to get some attention, but can’t demonstrate an evolution of the product, then it’s a fail.
[Read Michele Chubirka's analysis of the biggest threats to an organization in "The Banality of IT Failure: Overlooking Mundane Insider Threats."]
5. Just Say No To Vendor Pseudoscience
As professionals in a discipline which is supposed to be grounded in science, we need to question surveys or reports that have a sample size of less than 20, but with results preached by vendor marketing staff like gospel. If performance results for products are presented without providing testing parameters for the purpose of reproducibility, then it’s pseudoscience. Can we all agree to demand a greater rigor from the industry in the data it puts forth?
6. Forget The FUD
And what of the classic FUD (fear, uncertainty, doubt)? Those frightening campfire stories of foreign espionage, insider threats, and supply chain vulnerabilities have provided enough paranoia to feed an existential crisis well into my next life. Maybe we should start focusing on the known dangers to our organizations instead of leaving business continuity and disaster recovery plans languishing in a file drawer. Most organizations will have to deal with a lost backup tape before a foreign spy trying to exfiltrate data.
I’m proposing these resolutions as a challenge for us all. These are recommendations you can use to become more strategic in your practice of information security, which could result in actual improvements, not just the reactive drudgery of constant firefighting. Wouldn’t it be great to look back next year without the same angst over failures and lost opportunities?