Nobody practices real security: David Lacey

When you consider where security is heading, futurist David Lacey, who spoke at the CSO Roadshow in Melbourne this week, talks about growth and importance of networks, relationships and the flows of information.

Massive scalable power can be achieved through the exploitation of networks, so as the number of relationships and flows of information between them scales ever upwards, the implications for security are vast, says Lacey.

“The future focus of security is basically going to be all of things that security is currently bad at,” he states.

Security is going to need to be more mobile, highly complex, it’s going to get faster and faster, it will be far more intellectual and external, and much more diverse. “These are all things we don’t yet know how to manage.”

Controlling such massive networks and flows of information, using traditional approaches to security, is simply not going to work, he says. “In the industrial age what we used to do to when businesses scaled up, was to nail down the system, to put limits on the system in order to control it. We’d synchronise everything, standardise it – classify everything. We followed the same rules with the same machines and produce the same products. It made it easy to control.

“In those days, when you put an input in, you had a guaranteed and predetermined output.”

However, in the future networks will massively amplify the number of states a system can be in, says Lacey. “With a network in the way, you’re not quite sure what they output will be. So with massive growing networks, the number of states you need to have for the systems you’re trying to control will multiply rapidly. We know from Ashby’s Law of Requisite Variety you have to have the same number of states in the controlling mechanism as in the system you’re trying to control.”

Lacey says it means we’re going to have to scale up the number of controls in our controlling systems. “You can’t have a simple control looking [at] a complex situation – it’s mathematically impossible. And with increasingly diverse, accelerating and more complex systems, we’ll need to scale up our control by utilising networks and computers in the controlling mechanism,” which could be networks, networks of people, things like botnets, social networks, or client services. The great difficulty, he points out, quoting John Maynard Keynes, lies not in the new ideas, but in escaping the old ones.

It means security professionals going to have to change the way they do security because at the moment, they are not doing real security, he says. “There are three ways you can do security, and no one is doing real security.”

There’s compliance, which is what nearly everyone currently does, says Lacey. “This is where you use a 20 to 25 year old set of controls to control today’s fast moving situation. It’s frozen and enforced by compliance. The way people respond to compliance is bad because they don’t do the best solution. They tend to leave it as long as possible until auditors tell them they haven’t done something, and when they’re about to be red flagged, they do the quickest cheapest thing they can to satisfy the auditors – that’s compliance.”

The second type of security he describes as business enablement, and also points out there’s nothing new in that either, it’s also 20 to 30 years old. He says business enablement seeks to impress the executive board with the promise of future business benefits. “It won’t work either because you can’t make a business case with a ROI around security. It’s a leap of faith. If you take that business case to investment appraisal they’ll throw it out because there’s no guaranteed ROI.”

Real security is something that nobody actually addresses because it involves difficulty, cost and delay, says Lacey. “If you practised real security, you have to say ‘get those people off the network, close down that system, replace that insecure legacy platform, take that project back to the drawing board’.

“If you do that, you’ll be sacked,” he concludes, so nobody practices real security. “It will happen one day, because it has to. Because we have to prevent the threats, but it won’t happen until we get the equivalent of a 911 incident within an organisation or society. And at that point, business and government will say we’ll have to do things properly, not by putting some cosmetic control systems on top.”

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO Roadshow

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Wheeler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts