« 5 things you might not know about Justin Foster | Main | 3.2 KB of Code Can Kill You »

September 2, 2009

Speeding on the Information Superhighway

1184005_on_the_way_home After narrowly avoiding a speeding ticket recently I realized, there is a lot of similarity between data security and the risks of the open road.

We all know that the role of information security is to reduce risk to an acceptable level, however sometimes the reason for existence of the risk in the first place is ignored...the reward.

The reward of digital information exchange is increased productivity, lower costs and improved service. A bank that didn't offer online banking would be far more secure, but it would hardly be competitive or cost effective.

The more services that move online, the faster business is conducted, the more risk we take on. With all of the data breaches going on lately, are businesses speeding?

Speeding on the real highway is risky business. The risks we face in driving are similar to the risks we face in business:

  • The risk of getting a ticket - The risk of getting fined for failing an audit
  • The risk of loosing points - The risk to your reputation for having a breach
  • The risk of crashing - The risk of data loss
  • I think you get the point...
Balancing the risk vs. reward can often be a difficult task. Sometimes we have a distorted perception of the risk we are getting ourselves into (like when I let my wife cut my hair). The reward too is hard to judge. Opening access to your database for a partner may seem like a good way to integrate quickly, but you'll soon regret it when they plug an application with SQL injection into it!

In cars, like datacenters, we adjust the risk/reward ratio by using countermeasures:

  • Airbags/Crumple Zones - Raid, WAF, AV, etc.
  • Radar Detectors - IDS/IPS (Yes, I realize that I'm mixing the good guy/bad guy)
  • Car Insurance - Disaster Recovery
  • And so on..
Recently I heard of an insurance company where you pay based on usage. They plug a device into your car and charge more if you are driving above the legal limit or at risky hours. Privacy concerns aside, I think this is an interesting way of having the risk/reward balance encouraged. If you knew that actions you were taking would have personal, and very real, repercussions you may defer risky options in favor of options that keeps your business more secure.

Without some form of auditability and accountability, right now it's up to each organization to decide how fast they want to go, and some may be going faster than they can handle. 

Posted by justin_foster on September 2, 2009 at 05:15 PM in Security |

|

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a011279135bcf28a40120a541e4b9970b

Listed below are links to weblogs that reference Speeding on the Information Superhighway:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

About

The views and opinions expressed on this blog are my own and in no way represent the views or opinions of my employer, Trend Micro.

 Subscribe in a reader

Archives

Twitter Updates

    follow me on Twitter
    Lijit Search
    Creative Commons License

    Copyright © 2010. This work is licensed under a Creative Commons Attribution 2.5 Generic License.

    Some images used with permission from istockphoto.com, clipart.com and sxc.hu subject to individual copyright.