“Just because everything is different doesn’t mean anything has changed.”
The principles that motivate current approaches to securing information and the systems that store, process, & transmit this information are – for the most part – well understood by practitioners. Billions of dollars have been allocated by organizations to protect their virtual assets. Modern processes, procedures, and practices for implementing these principles are also well documented; and it is hard to find any area of information security that has not been the subject of multiple books, websites, whitepapers, & articles. Yet, data security breaches continue to occur with irritating regularity.
[NOTE: The following was written on 10.7.2007, but could have been modified at almost any time in the past five years by simply changing the actors names: “For example, in the past week, both EBay and TD Ameritrade announced the loss of confidential networked information. In fact, TD Ameritrade has hemorrhaged personal information for several years. In June, a New York law firm filed a class-action lawsuit against the brokerage, charging that the company knew that e-mail addresses were leaking to spammers and yet, had failed to inform customers. Both EBay and TD Ameritrade maintain large internet presences, and both have large, well-funded information security groups.”
The fact is that information security as it is practiced now (and has been practiced for the past 20-25 years) doesn’t work very well, & this situation, due in large part to the concurrent proliferation of both mobile networked devices & virtualized, location/provider-independent httpd-based services, can only worsen.
So… Let’s begin with this seemingly innocuous question. Why do these violations continue to occur? Or to format the question in another manner – When factoring in the resources allocated (both human & capital), our accumulated experience w/ rational approaches to securing crucial resources, & the advances in security technologies: Why does the rate (or amount?) of data loss not approach zero?
The answers to these questions are complex, & will require us to utilize concepts from sociology, history, politics, economics, evolutionary biology, game theory, & other seemingly unrelated fields. However, as we begin to answer these questions, we will be able to predict with some certainty the state of information security in 2020.
Image may be NSFW.
Clik here to view.
