Securing New Technology is Going to Be Ok. Just Not Today.

Why? Because like camera phones, the cloud, and everything that came in between, we don’t quite fully understand them. They represent dramatic change and, frankly, we security people don’t handle change very well. Add to that the generally sorry state of security technology, infrastructure, and software and our comfort level decreases even more. Deep down we know that for all the business’ good intentions, market promise, and well-funded research and development in these technologies, one thing is inevitable:We’re going to get it wrong! Very, very wrong. That’s bad for business, and it’s bad for our customers.

As we race to market with new AI, Blockchain, and IoT solutions there is no way to guarantee we will get it right (even if we can define what “right” is at this early stage). As a result, data will leak, secure configurations will fail, “expert” knowledge will be lacking, technology designed to stop and catch threats won’t, and attacks will succeed. Not on some grand scale that will see the complete collapse of the world’s cloud or Blockchain environments, but on a thousand little micro-scales, where individual organizations get tripped up on the learning curve of these technologies and expose themselves to the badness that awaits. Nobody wants to be tomorrow’s security breach headline, but unfortunately, somebody will end up there anyway. It’s the sad reality of this stage of learning infancy: we need to get it wrong first because that’s the only way we’ll learn what “right” looks like. However, as we struggle amidst our lack of knowledge and the general mediocracy of our security technology, we can be comforted by one bright thought:

It’s going to be OK.

Not immediately, but eventually, and we’ll get there by understanding our current limitations and working to minimize them while the knowledge and experience we desperately need catches up. We do this by remembering the foundational security principles that have served us well for decades. These are principles like limited and authorized access, least privilege, and limiting the storage and transmission of data. We all learned about these principles on day one of CISSP class, yet they seem to get perpetually lost in the face of shiny new security technology and promises like “containers will solve your security problems” and “trust the math.” I do trust the math. I just don’t trust the people implementing the math.

So, protect what you can, monitor what you can’t, and be ready to respond quickly when things go wrong because they will go wrong. When your business leaders say they want to move fast and furiously into new and exciting technologies, check your horror at the door. Companies rarely make go/ no-go decisions based on the cyber risk attributes of a new idea, but how well they succeed or fail may very well rest on your ability to manage those risks effectively. Without your expertise in security and risk management they will most certainly get it wrong, so you might as well be part of helping to get it right.