In 2013, I looked briefly at how being hacked affects a company’s stock price. More people are looking at this now, and the evidence seems to show that there is often a major dip, but after 6 to 12 months it’s hard to even notice it happened.
I’ve been worried for a long time that we’re getting Breach Fatigue. If only a few companies have been hacked, then the public will punish them with a lack of trust and less business. But if everyone’s been hacked, then consumers don’t have the choice to move their business to the invincible option (since none exists).
So what then?
If everyone’s been hacked, and consumers come to accept that it’s inevitable, then what incentive will companies have to do security?
I think the answer is that there are different types of breach, and that even if companies stop caring about losing customer data, they’ll still care about two other types of security failure.
- Business Disruption
- Human Safety
When I first started thinking about this, I was thinking that these three things (Data Loss, Business Disruption, and Human Safety) might map to the CIA triad, with data loss being confidentiality. That would have been a neat essay, but I don’t think it’s true.
Losing customer data is one type of risk, and it’s the one that’s served as the fuel for the Information Security industry so far. But this is only because humans used to have some measure of privacy because it was so hard to move information from one place to another. To take an individual’s information and give it to 100 different companies all over the world would have been supremely difficult before computers. Now it takes seconds.
I don’t see the loss of privacy as a failure of infosec. I see it as an inevitability of a data-powered economy.
If the metaphor is the swimming pool, data isn’t the urine in the water that we can’t get out. It’s the water itself. You could remove it, but then what would you have? Ultimately, privacy requires an empty pool. And given a choice, people will gladly provide the water to swim.
GDPR is going to breathe new life into the concern about data loss (at least in Europe), but I think this will be a losing battle in the long run.
Anyway, once the fear of losing our data has been played out—which I’d argue we’re getting close to—I think we’ll move to other types of risk.
Business Disruption is one. It applies, obviously to business, where disruption to business means lost revenue and potentially the company going out of business. So, malware infections, intellectual property loss, denial of service attacks, corruption of data (integrity attacks), could all be examples. But Disruption can also apply to society. Stopping transportation. Preventing purchases online. Etc. In both cases you’re talking about losing money, value, opportunity, and trust in the underlying system.
So Disruption of business and society is an ever-present threat, and is arguably the most likely and most common type of risk (once data loss becomes a non-issue).
Even more visceral, though, is Human Safety. As we connect more and more systems to the internet, and then connect those things to each other, we’re looking at automating and using AI to control more and more of the systems that surround humans both in transit and at rest.
The opportunity for harm—both accidental and malicious—is about to grow exponentially, and this will make up the other major type of risk that companies and societies are looking to reduce.
Resilience is security
I think the main way risk will be thought about, and managed, is through a language of interconnectedness and resilience.
The solution to both Disruption and Safety is resilience. In the case of business, you need to be able to have (virtually) anything happen—throughout your infrastructure—and still be able to function as a company.
- Your DNS provider is taken out
- An employee goes rogue and deletes infrastructure
- Your cloud provider is hacked and your servers are deleted
The future charge of information security will not be prevention, but resilience.
Rather than saying how do we keep these bad things from happening, we’re going to ask how quickly we can recover once they do.
Security is ultimately about the goal of being able to relax and go about our business.
This is ironic, actually, since security actually comes from Latin and breaks down as se (without), and cura (attention, worry)—or “life without worry”—which is precisely what we’re trying to give to the businesses and societies we work for.
Think about that.
The entire modern history of Information Security has been focused on preventing things from happening—namely preventing data loss. And that’s the removal of worry we’ve been selling to management for two decades.
Soon we won’t care about that at all, and we’re going to be in such a connected world that everyone can reach out and touch everyone else. The perimeter is gone. The firewall is gone. Isolation is gone. Privacy is gone.
All that will matter as a consumer, as a business, and as a society, is that you can do what you are trying to do—no matter what ever else someone else is doing.
Security in that world is virtually synonymous with resilience. It’s the ultimate form of being able to live without worry. No matter what happens, we’ll still be ok.
- The transport vehicle has 19 different safety systems, and even if most are hacked or blown up, the others will take over
- The business has its infrastructure replicated in 17 parts of the world, and failover takes place seamlessly whether the attack is on the servers, the storage, DNS, or whatever
- It’s ok if you lose your data because everyone has it anyway, and all transactions require 29 factor authentication anyway, so your data by itself is useless
This is security. This is living “without worry”.
Dependencies and contracts
Companies will rely on each other to provide these multiple tendrils of reliability and redundancy. When they fail each other by going down, there will be contractual violations that require financial payouts.
And this is where insurance will enter the picture. They’ll insure companies against these losses from causing disruption or harm.
Basically, if you cause harm to any of the 24,000 vendors you are intertwined with, there will be a penalty. And if any of them fail you—in the processing of your requests, or in the service of your customers—then they will owe you. But if you or any other set of individual services fail, the whole will still be able o function.
This is how the lattice of resilience will be built across the business world and across society.
- Data loss is about to become a relative non-issue.
- Security is really about relaxation, and literally means “without worry”.
- That lack of worry used to (mistakenly) come from prevention, and now we’re transitioning to a world where it can only come from resilience.
- The two types of risk we’ll be dealing with are Disruption and Human Safety.
- Risk will be managed by interweaving dependency contracts that extract financial penalties when there are outages or when people are hurt or killed.
- Thanks to my friend Peter Albert for educating me about the Latin origin of the word Security. I think it’s extremely powerful to realize that in any type of security we’re ultimately chasing the ability to relax.
- The way cyber-insurance plays into all of this is that they will be the ones ensuring each entity vs. loss, and the premiums you pay will depend on how solid your security is. Because insurance is so focused on data-driven profit margins, they’ll spend billions figuring out what actually does and doesn’t work with regard to security controls, and they will rate and adjust premiums accordingly.