If you've been to the airport a few times over the last decade
and your mind thinks in that slightly different way mine does you have
undoubtedly noticed something curious. Right after the tragic events of
September 11th, 2001 things got a little crazy at the airports. Over
the next decade or so the fall-off of hype and fear mongering didn't drop off
as expected, instead, orange (alert
level) became the standard for the next 10 years or so as best as I can remember. The problem with this is, of course,
that when you constantly live in “heightened fear” that becomes the new normal
and the baseline adjusts. When the baseline adjusts the general population
adjusts to the new normal quickly,
and that fear dissipates.
This was not the intended consequence, but it is human
nature.
Consequently, this is also happening in the Information Security space…although it
may be a good thing.
For the Information Security (or Cyber Security if you
prefer) world, I would propose we've never been at condition green… it’s been all orange all
the time but our ability to see that is just now maturing. I won’t try and
argue that the threat has been as great in 1998 as it is now, but then again
the level of technical capability and integration was significantly less. The
threat to technology from the attacker has grown proportionally with the
increase of technology in our daily lives. This shouldn't surprise anyone. More opportunity for the bad guys means more attacks, simple.
So what does this mean, for those of you working on
defending your enterprise networks, systems, applications and critical
intellectual property from the attackers and thieves? It means that orange is
the new green… and we actually do
live in what one executive has called a “post-breach” world.
Starting your day with the assumption that the enemy is
likely among you already is not something most people, even hardened
Information Security veterans, are comfortable with. That being said, this isn't
a completely new concept and it shouldn't be that revolutionary. Except
that it is. The problem is enterprises
have collectively spent hundreds of millions of dollars (just a SWAG) on prevention
and when that approach didn't work they spent even more. So now we’re at the same place
we've been for a long time: condition orange. The enemy is inside the
infrastructure, is watching us and waiting to strike when we’re not paying
attention. They know what you're doing (probably better than you), and know how to exploit you.
How will you adjust?
This is a wake-up call. How will your organization adjust to
the acknowledged state of heightened risk – permanently? This is not a drill.
I’m kicking off a series of posts on this topic that I’ll
address over the next few weeks, with some thoughts on how to actually live in
an era where orange is the new green, and we have to assume we've been
breached.
No comments:
Post a Comment