- BOHH CEO Simon Bain
Talking to customers, vendors and the great and the good of the industry, it is no surprise that we seem to have a data security issue at the moment. Maybe though not the obvious one of data being stolen, but one of the description of what security actually is!
These two quotes from Sridhar Muppidi, who serves as VP and CTO IBM Security,
are taken out of context, but they sum up a large sector of the technology industry’s view on security:
- "IBM Security is a division that focuses on keeping the bad guys out and the good guys in, it's as simple as that," Muppidi said.
- "It's a discipline," Muppidi said about security. "It's a discipline that can be morphed into a program, a set of practises, solutions and products."
See them here: http://www.eweek.com/security/ibm-security-cto-details-how-cyber-security-fits-into-ibm-portfolio
While there may not be anything fundamentally wrong with these two statements, I do believe that they totally miss the point and try to turn security of customers’ data, documents, and corporate secrets in to a commodity for IBM to play with, and worse it trivializes the issues.
I do not believe that security is just a discipline. Yes, users do have to learn how to treat data and how to help themselves. But, we in the industry must start to look at security in a different light. Security is privacy and we should help maintain the privacy of data and not just by trying to keep the “bad guys out,” after all, a lot, if not most hacks are insider initiated not external. So, in that case you keep the “bad guy out” by not employing them!
We need to start talking privacy and looking at ways of how we can truly keep data private both from insider threats as well as external ones.
Threat detection is as good as useless for privacy at the point of attack. It is a great learning resource to work out how to secure data after the fact.
Threat prevention is the only way that can work, but it is multifaceted. We do need to look at keeping “The Bad Guys Out,” but not just out of the network, also out of the data. And, the “bad guys” are not just external people (Guys and Gals’) they may also be inside. So, we need to make sure that the data is secured in such a way that makes it usable, but also completely private and away from prying eyes, whether they be a system admin or someone who has been given admin permissions to do some data cleansing.
Security is not about creating back-to-front detention centers where one group is kept out and another is kept in! It is about privacy of information.
Security must also not get in the way of peoples working tasks. Otherwise, yes, they will circumnavigate it or they cannot do their job and they then find themselves without work.
As such, I believe our job as technologists is to make this possible, not just talk about it, not create long overly lawyered disclaimers, but actually create applications that create a full privacy zone where data can be utilized free from fear that sensitive data will be lost or stolen.
Only time will tell where the industry is headed and how we as a collective group approach security.
No comments:
Post a Comment