Information risk - the Next Big Thing

It strikes me as deeply ironic when a peer acknowledges that the most important thing in cybersecurity is not the technology but the people. The irony is deeper still, given that the comments stem from a Gartner conference.

Anyway, I see a feint glimmer of hope that, finally, the cybersecurity bandwagon might be trundling out of town. And good riddance! Frankly, I'll be glad to see the back of it. Cybersecurity may be a gigantic feeding trough but it is so 20th Century.

Way back in the 80s when I started my professional career, "computer security" was just becoming the thing. The reasoning was simplistic: computing was a costly and new/risky investment that had to be protected. However as mainframes gave way to minis and then micros, mainstream IT gradually became a humdrum commodity. Admittedly, there is still competitive advantage to be gained by strategic investments in IT, including old-school systems and software development (as opposed to merely assembling and configuring commercial off-the-shelf products including cloud-based services). But how many present-day organizations have their own in-house application development function?

Through the 90s and 00s, we've surfed the waves of "IT security", "GRC" (governance, risk, compliance) and now "cybersecurity" ... and yet it is the information that I seek to secure, not (just) the cyber. Once again, the reason is simple: there's more value in the information being processed than in the fancy electronics doing the processing. There's much more at stake if the information is threatened than if the technology is under pressure. We can always pop down the road and buy another box. Securing the machines per se doesn't necessarily protect the information, especially if you realise that a substantial amount and value of business information is never even computerised in the first place (a fact that the cybersecurity crowd either remain blissfully ignorant of, or conveniently choose to ignore).

Worse still, we're not even much good at securing the technology. Ransomware is the latest in a long line of demonstrations of our collective ineptitude, and perhaps our arrogance. The controls against ransomware are basic, and yet there are evidently vulnerable victims a-plenty.

For what it's worth, I predict the Next Big Thing after cybersecurity will be "information risk" by which I mean "risks associated with or arising from information". Since information is widely acknowledged to be an extremely valuable, if not invaluable business asset these days, the related risks deserve to be properly addressed, making this very much a business issue. The linkage is direct and obvious. Now that's a bandwagon I'd clamber aboard - in fact I might even be driving it.

Following that, the next Next Big Thing might just involve "opportunity". Information security and cybersecurity professionals are, on the whole, obsessive about mitigating risks, as if risk is inherently evil, something that ideally ought to be eradicated or at least understood and brought under control. The idea that some risks might actually be good and beneficial, to be embraced and willfully exploited, is anathema to most of my peers. There are glimpses of an alternative approach but they are rare indeed: I'm thinking, for instance, of the possibility of deliberately exaggerating the quality and strength of our defenses as a deterrent control in its own right, perhaps faking the messages indicating that our Internet-facing systems are fully up to date with all the current security patches. Furthermore, ethics and legalities aside, the use of penetration testing, social engineering, malware, cryptanalysis and so forth as offensive weapons to compromise competitors or other adversaries is simply not discussed in polite conversation between infosec pros. You don't find mainstream conference speakers extolling the virtues of building offensive cyber capabilities, except perhaps in the military and defense world. Compliance is so deeply ingrained in us that few would even consider delaying let alone lying about compliance with assorted security, privacy, governance and other obligations.

That's all very well but what if our adversaries have never even heard of the Marquess of Queensberry? We're not even taking a knife to a gunfight: all we have are our secret decoder rings, plywood swords and cardboard shields. And let's face it, we look ridiculous in our blue Spandex suits and face masks ("Speak for yourself Gary. I look cool!").

PS  Although 'information security risk' is mentioned in many ISO27k standards, the term is not defined as such in ISO/IEC 27000:2016