Scene: in the car with my teenage son on the way to the bus stop.
Me: “Son, why is your iPhone named ‘Doktor, turn off my AirDrop inhibitors’?”
Son: "It's a spoof on a line from a video game; it means anyone can AirDrop me content."
Mind you, this is a child who won’t use public WiFi because it isn’t secure. But AirDrop? Apparently, that somehow passed the digital native sniff test.
Two days later…
Son: “I’m turning the security on my AirDrop back on! Someone AirDropped me a saucy meme that was nearly porn!”
Lesson learned, luckily without significant consequences. This little family interaction is brought to you by technology and the reality that no matter how well-prepared we think we are, something new will come along that forces us to re-evaluate and re-examine security.
Yes, we had "the talk" about public WiFi years ago. But that was before AirDrop entered the room, and we neglected to have "the talk" again. And I'm sure in two to three years, we'll need to have "the talk" again when The Next Great Tech™ is introduced.
Because you can't assume that new technology or new ways of using old technology aren't going to introduce new attack entry points. They always do. It's true for consumer technology and even more true for enterprise technology.
Now, the good news (for me) is that the security mechanisms for AirDrop are built right into IOS. It’s literally embedded in the system. Unfortunately, that’s not true for most of the technology coming at you as a result of digital transformation. So, it’s for us to have “the talk.”
Let’s start with one of the hottest buzzwords out there today, AI. What most people really mean when they use that term is machine learning (ML), but that's a topic for another day. In any case, solutions built on a foundation of AI rely on models. Models are essentially code and some data. They have to run in production, so they’re just like specialized app components. Consider that AIOps is based on the premise that decisions will be made based on the insights generated by those models and, in many cases, will trigger automated action that changes systems, networking, applications, app delivery, and even business flows.
You can see where I’m going, no doubt. Ever heard of security practitioners pontificating about how to secure models against tampering? How to protect the data against poisoning? Me either. But they are very real threats because the consequences of compromise go far beyond data exfiltration or running up your cloud bill by hijacking resources.
Digital transformation should be a forcing function for bringing security to the fore, not just as a way to protect stuff after it’s deployed, but as a way to consider how to protect digital assets from day zero. That’s during design, through development, across deployments, and for the life of that asset.
It's not enough anymore to slap a service in front of a digital asset to protect it. You have to get inside the process, into the system itself. It's not so much that we need to shift security left. That's about getting security into development. We need to envelop the enterprise architecture in a security blanket that is always vigilant and always looks for ways to protect data, processes, and code no matter what new technology is introduced. This isn't about tools and technologies, and it's about a mindset that approaches security as a good thing and includes it as a critical component.
Security in a digital world is about embedding security in your culture so that you’re always evaluating and embedding secure practices and policies from the first time a new technology is introduced.
Otherwise, you’ll be lucky to just end up with some saucy memes on one of your operational dashboards.