I am reading the Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT to gain some insight from the perspective of the mid-sized enterprises that I typically consult with on governance and management matters related to their information security and assurance.
In the forward is a statement that jumped out at me:
Information security exists for two distinct purposes: to enable an entity (a person, business, or government) to protect their own secrets, and to enable an entity to protect another entity’s secrets. The former will occur naturally—one is naturally incented to protect one’s own secrets. The latter, however, does not—it is an externality. As such, it is sometimes necessary to create regulatory bodies to ensure that these secrets are adequately protected.
I have to comment (and that scares me because I am two pages in to a 36 page report).
The assertion is that we are "naturally incented to protect one's own secrets".
I generally think that is true in the context of real life and the physical world. I hide the Christmas gifts from my kids and the new kettlebells I purchased from my wife. My neighbors don't know my credit card numbers, my social security number or the result of my latest physical. We don't talk about our crazy uncle. Everyone has those kinds of secrets and is inclined to protect them.
In the business world we have similar secrets. Our new marketing campaign. The new untapped market niche one of the sales people discovered. Our secret sauce. Customer lists. Bank account information. Sales commission agreements between the company and each salesperson. Business people ARE inclined to protect those kinds of secrets.
In the personal and the business examples above the secrets are physical secrets or "secrets of the mind". The moment we digitize those secrets though I think the inclination changes. There is a desire to protect them but the inclination to protect is twarted by a lack of awareness about how well protected these secrets are and about what might attack them or the system they are "safely" stored on.
Said differently, the unaware business owner just might be inclined to want to protect his "own secrets" but most likely doesn't realize they are exposed.
Several years ago we had a prospective client come calling. They had been breached. It wasn't a legally reportable breach as no personally identifiable information was involved. It was a mess, however. No logs to allow much of an investigation. The weakness in the soon to be our client's systems was human error. They had simply not attended to the necessary effort needed to secure the system. In non-technical terms they had built a building but not put a lock on it or watched the door. Their losses were intangibles. Source code to a custom app was taken. Code in production on their servers was contaminated. Nothing was backed up so work had to be redone to get them back to a pre-breakin state.
Physically when I first visited their facility I entered from an outside door inta an empty locked room. In that room, with double locked doors and a camera is a phone. Instructions clearly stat to call your appointment from the phone and then they will come to get you. We've assessed the environment since we first met as a an outcome of the breach and the system, though primative works.
They understand the physical and lock it down pretty well. In the physcial sense they are inclined to "protect their secrets" (or at least their physical property). But until that breach occured they didn't understand that the hard work invested in their custom code, the code itself and "secrets" kept in databases on their servers were every bit as exposed as if a customer list or some other printed form was sitting unattended in that entry room or outside the front door.
When it came to their virtual goods, the electronic equivalance of that secure room, locked down and monitored, didn't exist.
Why? Were they not "naturally incented to protect one's own secrets'?"
I think they were inclined to protect their own secrets. After some education they now have the electronic equivalance of that secure room.
The issue for them and I think for many, if not most, business owners, even in technology fields, is that there is a lack of awareness of what is at risk, where weakness lie and what might be attacking those weaknesses.
I believe it is an imperative for a business owner or executive to understand the context of their business. If much of their business occurs electronically then understanding the context of that environment is an imperative. Only through that awareness and understanding can your inclination to protect your secrets be real.
Are you naturally inclined to protect your business secrets?
Are you aware of how those electronic secrets are protected?
Are you aware of weaknesses in your system security that would allow an attacker an entry point?
Are you aware of who the attacker might be? Or what they might want?
Have you assessed your security posture?
Again, are you naturally inclined to protect your business secrets?