When you consider where security is heading, futurist David Lacey, who spoke at the CSO Roadshow in Melbourne this week, talks about growth and importance of networks, relationships and the flows of information.
Massive scalable power can be achieved through the exploitation of networks, so as the number of relationships and flows of information between them scales ever upwards, the implications for security are vast, says Lacey.
“The future focus of security is basically going to be all of things that security is currently bad at,” he states.
Security is going to need to be more mobile, highly complex, it’s going to get faster and faster, it will be far more intellectual and external, and much more diverse. “These are all things we don’t yet know how to manage.”
Controlling such massive networks and flows of information, using traditional approaches to security, is simply not going to work, he says. “In the industrial age what we used to do to when businesses scaled up, was to nail down the system, to put limits on the system in order to control it. We’d synchronise everything, standardise it – classify everything. We followed the same rules with the same machines and produce the same products. It made it easy to control.
“In those days, when you put an input in, you had a guaranteed and predetermined output.”
However, in the future networks will massively amplify the number of states a system can be in, says Lacey. “With a network in the way, you’re not quite sure what they output will be. So with massive growing networks, the number of states you need to have for the systems you’re trying to control will multiply rapidly. We know from Ashby’s Law of Requisite Variety you have to have the same number of states in the controlling mechanism as in the system you’re trying to control.”
Lacey says it means we’re going to have to scale up the number of controls in our controlling systems. “You can’t have a simple control looking [at] a complex situation – it’s mathematically impossible. And with increasingly diverse, accelerating and more complex systems, we’ll need to scale up our control by utilising networks and computers in the controlling mechanism,” which could be networks, networks of people, things like botnets, social networks, or client services. The great difficulty, he points out, quoting John Maynard Keynes, lies not in the new ideas, but in escaping the old ones.
It means security professionals going to have to change the way they do security because at the moment, they are not doing real security, he says. “There are three ways you can do security, and no one is doing real security.”
There’s compliance, which is what nearly everyone currently does, says Lacey. “This is where you use a 20 to 25 year old set of controls to control today’s fast moving situation. It’s frozen and enforced by compliance. The way people respond to compliance is bad because they don’t do the best solution. They tend to leave it as long as possible until auditors tell them they haven’t done something, and when they’re about to be red flagged, they do the quickest cheapest thing they can to satisfy the auditors – that’s compliance.”
The second type of security he describes as business enablement, and also points out there’s nothing new in that either, it’s also 20 to 30 years old. He says business enablement seeks to impress the executive board with the promise of future business benefits. “It won’t work either because you can’t make a business case with a ROI around security. It’s a leap of faith. If you take that business case to investment appraisal they’ll throw it out because there’s no guaranteed ROI.”
Real security is something that nobody actually addresses because it involves difficulty, cost and delay, says Lacey. “If you practised real security, you have to say ‘get those people off the network, close down that system, replace that insecure legacy platform, take that project back to the drawing board’.
“If you do that, you’ll be sacked,” he concludes, so nobody practices real security. “It will happen one day, because it has to. Because we have to prevent the threats, but it won’t happen until we get the equivalent of a 911 incident within an organisation or society. And at that point, business and government will say we’ll have to do things properly, not by putting some cosmetic control systems on top.”