It's lonely in the middle -- but it doesn't have to be

For the middle class of companies, information protection is especially hard.

On the one hand, you now have information that is both a present corporate operational necessity and information that is what will build your future. The new and/or tiny firm may have intellectual property that is what their future is made of, but when a company is small the problem of protection is more straightforward because some one person still knows what it all is and where it all is.

[See also: Dan Geer: International man of mystery]

The Fortune 100 industry leader may have trade secrets that are likewise what their future is made of, but by virtue of their size they can buy protections sufficient to keep the protection problem and the apparatus to solve it inside the company.

For the middle-sized firm, keeping the protection problem inside the company is closer to intractable than it is for either the small firm or the large because the mid-range problem gets too big for one person to handle much before the mid-range firm can afford a full, in-house protection regime.

This note is written for those middling firms that are not yet resource-rich enough for how information-rich they already are.

This is a risk management problem. Because you want your information to be used (else why have it?), your information will be in motion. While there are security solutions to information-at-rest, information-at-rest that is not used is irrelevant to this discussion. (Take it offline if it is simply archival.) You need a solution for information-in-motion. It is worth repeating that you will still have your digital information even if someone else steals it -- unlike when your car is stolen. The Verizon Data Breach Investigations Report (DBIR) regularly reports that the majority of information theft is silent: the DBIR's number is that 80 percent of all information theft is discovered by an unrelated third party. The Index of Cyber Security (ICS) asked CISOs "Have you and/or your colleagues discovered an attack at another entity?" for which 55 percent said "Yes and confirmed" and another 10 percent said "Yes but unconfirmed." Information that is stolen is information-in-motion, just not a desirable motion.

The great strength of capitalism is the division of labor. We all do it every day. It can be a convenience, or a cost saver, or a matter of safety. As circumstances change, you may bring something in house that had been done for you by others, just as you may have others handle something for you that you may have been doing for yourself before. We think that information protection may well be something that, when you are small, you do for yourself out of necessity. When you are really big, you may do it for yourself out of some combination of discipline and cost. In between, the risk management question is "Is our skill up to the job?" Better to say "No" and find a solution than to hope that the bad guys just don't notice you.

Information protection has parts that everyone should do. It also has parts that are very, very context dependent. Knowing the difference and acting accordingly is not something we advise that you learn by trial-and-error. The body of knowledge required for information protection grows daily due to a combination of sentient enemies, mounting complexity, and business demands of ever faster. At least at first, you need a mentor who can teach you what you need to know while standing in for you until you are truly ready to solo.

Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don't know that you don't know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself.

Information protection isn't either. The base reason most information theft is silent is that most middling firms don't know what information they have, do not have any indicators of how movement actually happens (source, target, frequency, volume, etc.), and have relationships with counterparties that complicate the situation. None of that is something to be ashamed of; it is merely a fact and all but inevitable in the growth curve of the firm. As such, the first step is setting up a program to learn what the firm's current situation is and, only then, make decisions on what might be done differently, if at all. And keep score.

This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement -- the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product.

Rather, we are suggesting a mentor who can instrument your firm without any outward sign that this has been done so that the measurements you then take are unbiased and au naturel. We think this means instrumentation that is silent in its installation, silent in its operation, and which is therefore implemented as a so-called " Software as a Service (SaaS). Think of a SaaS information protection program in its initial data gathering phase as a one-way mirror. You are not "on the floor" but you can see what is going on in a way you have never before been able to see, and discuss what you are seeing with your mentor while looking at real data, not hypothetical scenarios, all in a way that does not (yet) perturb current reality. This is what a scientist would describe as "not poisoning the experiment" -- getting untainted data on your information protection situation as it is. A mentor who can instrument your firm and give you a complete (and new) view of your information protection situation is good, but not good enough.

Your mentor's instrumentation harness is better if it also allows you to test control strategies before you implement them ("What if I block CD burns across the board?") and to do so with data that is not some industry norm or the output of some model, but is instead a real-time simulation of what would happen were a proposed policy to be enforced using your data as they are observed.

A mentor would not, of course, be starting from scratch and would not be just one or two steps ahead of you in the mentor's own trial-and-error process. An experienced mentor doesn't start from scratch -- that is ridiculous and inconsistent with being a mentor. The good mentor will say "Your firm is the kind that needs to protect data that your counterparties have entrusted to you, so let's start with an instrumentation configuration that is relevant to firms of that sort" or something equivalently tailored to what sort of firm that you are. This is the jump start you need to not waste time or money and to get to real risk management at all deliberate speed.

There is an old joke about a drunk looking for his keys under a streetlight because the light is better there. As a pitfall, this one is commonplace. Consultants and penetration testers will tell you that the most important thing for you to do is to fix the problems that they are best at finding. This may work, if you are lucky enough to have lost your keys under a streetlight. It is not, however, the path of wisdom. The path of wisdom says that you don't start with where you want to be; you start with where you are. The mentor you need will show you where you are so that you know where you are starting from. This is not a nuance; it is the core of why instrumentation of your firm with a SaaS analytic engine plus a mentor is the point of this essay. Once you know where you are, then the careful imposition of controls by way of the instrumentation and analytic baseline you by that point already have becomes your information protection program, a program devoid of wishful thinking.

In summary, if you want to fly, then hire an experienced flight instructor with a good plane. If you want to protect your information, then hire an information protection mentor who has a lot of hours in the air but whose measure of success is that you can make informed decisions based on real data that, frankly, you wouldn't know about if that mentor wasn't on your side. The opposition is probing and, given time, they win. Get "there" first.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dan GeerSaaSapplicationssoftwaremidmarket securitySoftware as a servicecloud computinginternetdata protection

More about VerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place