For 30 years, we have been talking about the same things in the day-to-day business of information security – weak passwords and insufficiently sensitized end users, (overly) powerful administrators, threats from malware, hackers and, more recently, organized crime and (foreign) state intelligence services. Even the currently much-discussed “social engineering” – hard to believe – already existed back then and even before the invention of IT.
Of course, some things have changed – ICT has become more complex, and information security has become correspondingly more complex. BS 7799 became the now unmanageable ISO 2700x series, COBIT developed from a simple checklist for testing elementary security functions when purchasing ICT equipment into a (too) powerful audit tool for the entire IT sector, and the BSI’s modest basic protection requirements for SMEs became a collection of such powerful basic protection catalogs that a separate, complex project is now intended to simplify and streamline this collection and take it “back to the roots”.
The list of threats and attackers has also expanded considerably – but information security suffers from the problem of the additivity of its problems. New attack variants are constantly being added, but the old ones are not disappearing, so that all efforts on the protection and defense side are also additive and, as has been the case for 30 years, raise questions about the sense of corresponding investments and operating costs as well as the limits of use or the “right” level of protection. In this sense, information security is still an unpopular element in the minds of many decision-makers, and if it is included at all, then as late as possible in corresponding specifications.
Also unchanged seems to be the confidence of the more sales-oriented members of the information security community that buying their products will solve any security problems once and for all (in the next release). Sure, the products have become functionally more powerful, more efficient and more visually appealing. However, they are still only potential solution modules that still need to be integrated into corresponding overall systems and then operated accordingly.
Of course, it can be argued that this rather evolutionary development of information security has more or less served its purpose so far – the worst-case scenario has failed to materialize and the networked service society, the networked citizen and the “always on” culture using multifunctional, portable end devices cannot be stopped.
However, if one compares this slow adaptation of information security with the rapid development in other areas of IT (smartphones and tablets with their “app”-based thinking, cloud offerings based on extensive virtualization, development of powerful, convergent networks, etc.), then information security has not yet succeeded in developing positively in leaps and bounds and gaining a sustainable lead over the range of attackers.
The thinking and actions of many information security officers are correspondingly iterative and often reactive – small steps and successes in the face of limited resources, but rarely a “quantum leap” or real innovation in the design of information security and in dispositives against potentially powerful and well-equipped attackers.
There are certainly new approaches to get information security off the back burner for once – e.g. through:
- innovative ideas for drying up the black market for new vulnerabilities by systematically buying them up “ex officio”,
- the transnational, rapid and bureaucratically unhindered prosecution of criminals,
- the manufacturer-independent provision of a sufficiently secure hardware-based security “core” in every piece of ICT hardware sold, on which all other security functions can then be based,
- the transformation of today’s networks into sufficiently well encrypted and, if necessary, authenticated data transmission or
- the final replacement of insecure access methods (passwords, short PINs, etc.) to ICT systems by end users.
This and much more would be possible and would finally allow information security to make a really big leap forward compared to its opponents – however, it is to be feared that small steps and often still too reactive and product-based thinking will continue to dominate information security. For those working in information security, this may be good news – we will not run out of work, customers or opponents.
This may not seem so positive for information security customers, as this approach will continue to result in high fixed costs with limited efficiency and the corresponding potential for damage. However, if our customers continue to entrust ICT with an increasing amount of virtual and (e.g. through the Internet of Things) physical assets, information security as a discipline with a more iterative and reactive approach will fail in the long term.
New, bold, unconventional ideas from a new generation of managers are therefore in demand – the author, as one of the “old hands” of the scene, is excited (and until then remains a rather cautious user of ICT).