Undoubtedly, most of you will have seen the amazing story about the developer who secretly outsourced his own role to China, investing 20% of his annual salary to free up almost all his work time. The ruse came to light when the firm, who were pushing forward with a more flexible working package, noticed anomalous VPN activity and called in their telecom provider to investigate. The logs indicated that their lead programmer, "Bob," was apparently regularly telecommuting from Shenyang despite being peacefully sat at his desk surfing the Internet for amusing cat videos.

It transpires that "Bob" had FedExed his SecurID token to China and was allowing the remote development company VPN access to his employer's network so that they could do his day job for him.

Irrespective of the terrible security implications here, and they are pretty horrid, "Bob" was delivering high-quality code to schedule.  In fact, his performance review regularly identified him as the best developer they had!  And what "Bob" did here was not difficult – many sites offer the services of dedicated professionals such as developers, designers, proofreaders, even lawyers, for a small price.

In a business environment where we encourage flexible working, allow personal devices, and seek to incentivize workers for innovation, excellence, and performance, "Bob" could be held up as a role model, but at what cost to the enterprise?

A little while ago I bumped into a journalist friend at a trade conference. We chatted about the event to try and identify hot topics and trends from our discussions and supplier meetings, and both sat there deflated when the stories that came to the surface were the same old ones of fear-mongering around APT and “cyber” threats.

“CISOs have a habit of missing the boat,” I said, thinking of how virtualization, social media, and consumerization had all crept into wide-scale adoption before many security teams had managed to turn their attention to them, “so, what topic should we be looking ahead to that CISOs are not talking about?” This question was much more interesting and we came to realize that the elephant that is currently pushing its way into the room is the Internet of Things (IoT).

My friend pointed out that he had raised this topic with several CISOs and was surprised at their lack of appreciation for the potential change that the IoT could bring to industry, consumers, and the Security & Risk (S&R) role — as the digital and physical world entwine, for example, we can envisage huge safety risks that the CISO would be best placed to address. We also decided that the stakes were surprisingly high, as the IoT has the potential to revolutionize technology innovation to such an extent that the eCommerce and social media bubbles will appear both sluggish and trivial by comparison.

It’s common knowledge that the security landscape has shifted over the past few years and the once-strong perimeters that CISOs relied upon have become stretched, fragmented, and overrun by increasingly mature attackers. There are many reasons for this change — from the increasing value of intellectual property and ideas to the business’ desire for agility and flexibility  — but it comes down to the fact that the technology controls that CISOs are so used to deploying simply can’t stay ahead of the threats.

Increasingly, Security & Risk (S&R) Professionals are being asked not only to protect the organization from hackers but also to protect their organization’s brand and competitive advantage whilst enabling efficient and agile business processes. In this environment, we need to realize that technology is just one piece of an increasingly complex puzzle, and it’s a puzzle we have to solve without ever saying “no.” As one security expert Forrester interviewed put it, the right question is “How do I make sure this boat doesn’t crash?”; it isn’t, “How do I make sure this boat doesn’t even reach the ocean?”

It’s essential that CISOs shift their focus beyond technology to the wider spectrum of responsibilities that comprise an effective security practice. By redefining the situation and evolving their role, S&R professionals can:

Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!

A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc.  Once he had stated his opinion, the real likelihood was then displayed to him.

At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.

The results are surprising. 

Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.

The scientists argued that this was the brain did this for two main reasons

1 – To minimise stress and anxiety, for the resultant health benefits; and

2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.

Last night I attended a vendor presentation about cloud-based risk and the threat from nation state attacks. Unfortunately, due to a busy schedule and a difficult journey, I arrived just as the final presentation moved to its Q&A stage. Listening to a Q&A session when I had no idea what the content of the presentation had been was actually quite an interesting experience, unfortunately not for all the best reasons.  A section of the audience immediately dived into the detail and tried to find fault with the solutions that had evidently been outlined. They poked and prodded the presenter until she admitted that no solution was 100% and, yes, there were ways to mount a successful attack even with her recommendations in place. At that point, the questioners sat back in their seats, triumphant – they had won.  There seemed little interest in continuing the conversation to figure out ways to minimize the remaining risk, and their body language suggested that they had mentally discounted everything that had been said.

I was a little disappointed by this. Some S&R pros seem to treat information security as an academic exercise, a challenge where the best argument wins and security is a mere footnote. These folk are often also the ones who overreact to very complex, and very unlikely, technical threat scenarios while overlooking behaviors and processes that may be fundamentally flawed. They appear unhappy with any security solution that isn’t perfect. I had hoped that we all recognized that good security was not about hitting a home-run; it’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.