We've all been there - I nuked the entire Cal State Poison Control Center network with a botched router upgrade once... some mistakes are more avoidable than others - for those we advise padded desks and decent backup and security policies

We’ve all been there – I nuked the entire Cal State Poison Control Center network with a botched router upgrade once… some mistakes are more avoidable than others – for ‘others’ we advise padded desks and decent backup and security policies

We have seen an unprecedented volume of massive breaches, hacks, and data theft in the past year – the number of major breaches has significantly grown and is continuing to grow unabated.

We can identify many reasons for this, some are even quite accurate:

  1. Hacking for profit is safer than robbing a bank.  Have you heard of a hacking group getting shot while injecting malware into any US banks?  Me either.  Some of the foreign ones may even be getting medals and citations for their work!
  2. The complexity of our systems and the interconnectedness that drives business process today inherently leaves holes and gaps that can be exploited
  3. The human element – we all want to find that rich Nigerian uncle who is leaving us, his sole remaining descendent, that $3.5m in blood diamonds – so someone clicks the link…

But recently I discovered what I think the real reason is…  “IT didn’t really give a %*!#.”  Management, Executive Leadership, the Board of Directors, and large parts of government doesn’t really give a %*!# either though, so don’t worry… you’re not alone.  That being said, as a consumer who is increasingly dependent on banks, insurance, healthcare, government, power grids, water systems, criminal justice record keeping, and little things like jails working – you may want to fidget a little.

“I have all the budget I need and full management support to implement a zero trust architecture and harden all of our IT and business processes” ~ stated No SecOps Lead Ever

It doesn’t matter how high up you put the ‘we must be secure’ corporate goals.  How many executive orders to ‘improve security’ come out – security has not historically been a top priority of any IT organization I have met (caveat: outside of the Intelligence Community).  Why is this?

  1. The top priority for most IT operators has always been uptime and reliability – it doesn’t matter to ‘Andy the Admin’ how secure his database is if it’s crashing every day.  Lots of crashing means Andy doesn’t sleep at night and then Andy is swiftly unemployed.  Andy loves uptime…
  2. Once Andy the admin has solved for uptime the business has been increasingly pushing for ‘agility’.  This basically means that Andy needs to build an infrastructure that enables him to do more, faster, with fewer resources and much more machine automation.  A direct result of the push for IT agility in the service delivery chain is the emergence of tools like Docker.  Andy then spends a lot of his time building automated workflows that deploy applications really fast and he keeps his fingers-crossed that this does not cause a melt-down impacting uptime.
  3. What many vendor-provided technology tools have ignored in favor of time-to-market, and thus Andy never gets around to, is Security, the humble traditional third priority.  Sure he could secure his applications, whitelist everything, run on SE Linux, deploy several server-side agents, signature sign everything, implement strong audit controls and out-of-band administration networks.  But that has historically gotten in the way of priority number 2, and thus would introduce more points of failure for number 1.

A weak infrastructure resulting in a lack of availability is noticeable to Andy and his management immediately, probably on a weekly basis.  Andy’s boss (CIO) brings in armies of well funded millennial consultants from Massachusetts with their still-wet diplomas in their hands talking about automating business processes and improving the IT service delivery chain with the latest web scale tool.  An Alderaan-style security event never feels likely to happen to most operators.  So they choose near-term pain avoidance – it is human nature.

Wednesday - the day you get a dot matrix pic in the WSJ for every reason you never wanted one

Wednesday – the day you get a dot matrix pic in the WSJ for every reason you never wanted one

Historically budgets were not aligned with securing the enterprise.  However, in the past few years we have seen a notable shift in priorities and budgeting in the enterprise and mid-market customers.  The perennial third priority has risen in both funding and awareness. What has not yet evolved is product delivery from technology companies.  Too often we, the vendor community, have made time-to-market tradeoffs around security putting our business performance ahead of our customers goal of securing their organizations data.

Fortunately architectural approaches such as Zero Trust Architectures and Hyper-Secured Infrastructures are emerging that create environments that are exceedingly difficult to hack, yet are still viable to operate.  The concept of balance in the system design is or paramount importance.  In short:

  • Systems must be engineered to be highly reliable without sacrificing security or agility.
  • The agile workflow must be capable of deploying applications that are secured and reliable.
  • The securing of your applications and data cannot make the enterprise less reliable or add onerous workflows that break the businesses ability to innovate.

In short, parts of the technology industry have finally come to the realization that we need to create a balanced system – one that delivers reliability, and agility, and security.  We can’t compromise on any leg of the stool, or the entire application platform collapses.