Memories of an O.F.
I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became BS7799, making information security A Thing.
OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions.
Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen as important given its book value and fragility. Even clueless managers could appreciate the need for physical security controls for physical computers - locks and keys, Halon, computer rooms and computer pros in white lab coats jealously guarding their big beige babies.
[Aside: I still shake my head when I remember a director responding to an issue in one of my audit reports concerning inadequate fire protection for the computer suite. "There are no fire risks because computers have no moving parts" was the gist of his response. Oh boy! What a slaphead!]
In the early to mid-90's, BS7799 changed the rules of the game. We re-focused attention on protecting the valuable and vulnerable information content - the computer data as much as the IT hardware plus information in other forms. The light went on for me in thinking about intangible information such as knowledge (e.g. the DIKW pyramid), expertise, relationships and so on: personal information and business information are valuable and vulnerable so need adequate security to protect them against various harms and need to be used (legitimately exploited) to release their value ... which means we can't simply lock them in a vault and throw away the key ... hence our core job is not just security but risk management, blending security with utility, balancing confidentiality, integrity and availability of that valuable information.
When first released, the Code of Practice and BS7799 described a bunch of sensible good practice information security controls worth considering and adopting, generally, picking out a few key controls ... but on what basis were they key? How were mere users meant to decide which controls were needed, which were most/least important, and how much should we invest in security? Should we all have all the controls in '7799, or might some be irrelevant and worthless? Aside from the (fairly basic) controls in '7799, what other controls might be worthwhile/necessary, and how would we even determine that? So many questions, so little time and money.
BS7799 Part 2 in the late 90's gave us a structured, systematic approach to manage the security controls in the context of managing the organisation's information risks (or rather, the 'information security risks' - a curious, undefined term that - despite my best efforts within ISO/IEC JTC 1/SC 27 - stubbornly persists to this day in ISO27k). The systematic management and continuous improvement (Deming's Plan-Do-Check-Act) concepts underpinning BS5750 for quality assurance could usefully be applied to information security. Result!
Meanwhile, as Moore's Law kicked in, IT hardware proliferated, standardised and prices plummeted, the data content became proportionally much more valuable than the containers. First along came time-sharing minis and micros, then PCs and networks, the Internet, the Web, cloud and now AI - lots more IT/data processing of course but today's IT hardware and cloud services are readily available and cheap-as-chips (except cellphones and hearing aids, it seems) whereas the information content and access to people's heads is pure gold.
Against that backdrop, the cyber movement is partly a throwback to the days of IT security, partly a lunge forward to the protection of critical national infrastructures against extreme cyber threats in cyber war, including the data wars now quietly raging around us in the form of nation-state-sponsored mis- and dis-information and social engineering on a grand scale. Since deception and manipulation can now be AI-generated, planes needn't drop propaganda leaflets on foreign territory. Drones and satellites can simply watch on and listen, while networks and FedEx deliver dangerous digital payloads.
The cyber field is split neatly in two. However, some of those who use 'cyber' naively to refer to IT/ICT in general don't even seem to appreciate that the other 'cyber' is materially different to what they do, day in, day out. Antivirus, patching and backups are absolute basics, important and necessary controls, yes, but woefully inadequate to protect against, say, world-class crytpanalysis or supply chain compromises involving chip fabrication and PCB substitution attacks. The kind of security awareness and training that might, hopefully, stop Chris from Accounts swallowing a phisher's hook and infecting the hospital or bank with ransomware is nowhere near good enough to prevent Manning or Snowden disclosing Top Secrets to Foreigners.
You can't fight real wars with cardboard guns, running around shouting "Bang!", at least not for long before the tears flow.
So, where does that leave us? I'm intrigued by the thought that 'critical infrastructure protection' is just as important to industry segments and organisations as it is to entire nations. For me, there's a huge area of common ground between business continuity and resilience, information security, information risk, information management and knowledge management. If information is the modern corporation's lifeblood and IT its heart, management is presumably the brain and spinal cord. How do we prevent arterial bleeding or septicaemia when some distant appendage is damaged? Managers should be busy dealing with all these issues, while the executive team ensures that they do so while also achieving the corporation's business objectives. It's that tricky mix of security and utility, again, establishing a stable and reliable control framework that lets the business seize control and take calculated risks with information, safe in the knowledge that it can cope with the inevitable incidents when unmitigated risks materialise.
Actually, calculating and quantifying risks is a worthy challenge for the biggest brains of the day, another fascination of mine that crops up repeatedly here on the blog. Who knows, maybe ChatGPT has the Ultimate Answer (six times nine in base 13).
I'm also curious about the overlap of information security with human safety, motivation, mental health and intellectual capacity, now with Artificial Intelligence adding spice to the mix.
As new silicon life forms emerge, what is the future for us antiquated carbon units? Are we destined to be risk-managed, controlled and contained by our own machines, perhaps even eliminated as unacceptable threats at some point? Are AI systems augmenting human intelligence, or the converse? Are we fit to survive the next great evolutionary phase?
I wonder what that other famous Charles would make of this pickle of our own invention - no, not the king, that nice Mr. Darwin.