Bulletin January 26 2018. Whence cybersecurity and trust?

It’s an author’s worst nightmare. You write a book, it’s complete and just about to be published. So you ask a few people for a review — it would be nice to get some positive words on the back and, frankly, you want a bit of a stroke. So you send off the manuscript to a trusted party… and they come back and say it’s all rubbish. What to do? Stop the world, go and sit in a darkened room and hope it all goes away? 

And yes, it happened to me when I wrote a short book on information security architecture. The trouble was (the clue’s in the title) that it advocates the need for an architecture for information security. This perspective flies in the face of (some) leading-edge cyber-thinking, which takes the view that any notion of perimeter security should be consigned to the past. 

It’s not bad thinking, indeed, it is highly valid. Google have adopted an approach for their own internal systems (called BeyondCorp) that encrypts every communication, based on the assumption that no system can be secure. At the same time, try walking into Google’s buildings and see how far you get. As with so many things in life, absolute positions generally end up tempered when they hit reality. 

Cybersecurity best practice really only needs five rules, none of which require huge technical knowledge. 

1. It’s all about the data. Which means understanding it before you can protect it. 

2. It’s a board-level choice. It can’t be delegated away, outsourced or otherwise. 

3. It’s about understanding the whole picture. Which means architecture. 

4. It’s impossible to protect everything. Which means being able to react. 

5. It’s never done. And why would it be, if technology keeps changing. 

Obviously, there’s a great deal of devil in the detail, but if organisations could only get their heads around the above, everyone would save so much time and effort. These rules should be as prevalent as ‘don’t run with scissors’, but while they are not, we reiterate (and indeed write books about) them. And, as an aside, security vendors are stuck with scare-story marketing, not because they want to be forever spelling doom, but because it’s the only thing that works. Ho, hum, and on we go. 

To whit, some articles from this week. 

Cybersecurity should be a board room topic

A global survey by Allianz has found that cybersecurity is now the number two global business risk, up from fifteenth position 5 years ago. Number one is business interruption, which is a bit of a circular argument — a threat to business is not being able to do business? This being said, the biggest potential cause of business interruption is seen to be cybersecurity-related incidents. 

As I wrote on the topic however, the conundrum around cybersecurity remains as astonishing as ever. It would be good to think that organisations are finally getting the message, but as the adage goes, “don’t watch the mouth, watch the feet.”

Trust in media is collapsing. Is that such a bad thing?

Imagine my delight, while putting this article together, when I found publication of fake news was illegal during the French revolution, with the obvious consequences. Incidentally, if you want a positive story about the impact of technology its ability to democratise data distribution, execution by guillotine continued well into the 20th century, but it was the arrival of film recording that led to its demise. Turns out the mob thing quickly loses its sparkle if you’re not there. 

Back at the article, here’s the skinny: “Perhaps our collapse in trust in the media is in fact a symptom of our increasing desire to engage with reality. While we are less likely to accept authority for its own sake, we recognize the fact that we cannot know everything: the opportunity, then, is to develop information sources that rely on provenance, on provable expertise and the ability to articulate how and why things are as they are.” A gap that yearns to be filled. 

Extra-curricular: how not to write a biography

In other news (which is semi-curricular, to be fair), I gave a talk on this subject to the Gloucestershire Society of Authors group this week. I’m reminded of Christopher Norris’ response when I went on one of my usual existential rants about whether I was actually an author, or ‘just’ a writer. “Oh, you’re definitely an author,” he sad. “But you’re not an auteur…” 

Finally, thank you to all my subscribers. Any questions or feedback, let me know.

Until next time, Jon

Bulletin January 26 2018. Whence cybersecurity and trust?

Leave a Reply

Your email address will not be published. Required fields are marked *