As we all know, there are two main components to risk: 1) the chance that something will happen, and 2) how bad it would be if it did. Or, probability and impact. For the last 20 years, in both terrorism and information security, we have focused on prevention (probability) and this effort has yielded some decent returns. But no longer.
We’ve simply reached Peak Prevention — a wall of diminishing return where we can multiply our prevention efforts by many fold and get no reduction in risk (and perhaps even an increase due to ever-advancing threats). 10 years ago we were at around 50% prevention maturity, and now we’re at roughly 90%. If we spend another 10 years and 10 trillion we can maybe get to 95%. But all that effort would provide only a small fraction of what we could achieve by making successful compromises less costly.
Imagine if we’ve said to the terrorists after 9/11 that we would start cleanup and rebuilding the following Monday. What if we told them that we lost that many people in car accidents the year before, and that innocent civilians are easy to kill. What if we told them that we would be just fine–that we’d pick ourselves up and continue on as if nothing had happened. No TV shows about the terrorists, no books, no attention. What if we told them that they’d be dead soon, and that nobody would remember their names.
Had we done that we would have spent a few billion dollars, and had a tough couple of years. Instead, we reacted in the worst possible way, dealing a self-inflicted wound that has cost us trillions upon trillions. The attack didn’t hurt us that bad–our response did. What we need for terrorism is resilience, not more prevention, and the same is true for information security.
Imagine if we were to say that digital identities are easy to steal, and that social security numbers are already out there, and that they’re not as important as we thought they were. Or perhaps that corporate networks are too massive to perfectly defend, and that breaches are often inevitable. What then?
Answer: We would move from a paradigm of terror at the thought of a breach, and panic once one has been detected, to that of practiced, mature preparation and controlled response. In short, we may not be able to lower the probability value much more in the risk equation, but we can absolutely adjust the impact. And if the impact goes down, so does the risk.
In this world, the negative publicity from getting hacked comes only from negligence with controls and/or a poorly handled incident response or notification. As it becomes understood that highly trained, asymmetrically resourced adversaries will penetrate highly complex global networks and do harm, the taboo of compromise is all but removed.
In fact, we’re already starting to see that happen. In the last decade we’ve seen literally hundreds of publicbreaches, with a staggering number coming in the last few months alone. Some of these companies have been rocked by their incidents, while others are virtually unscathed after just a few short weeks.
What’s the difference?
The Role of Controls
Many who make a living in security probably don’t want to hear hat we’re about to switch to a resilience paradigm from one of prevention, as it seems to almost trivialize compromise.
Nobody will care if they get hacked!
But that’s not true.
The difference between a company that goes on to be successful after a breach and one that suffers immeasurably is that the former had the controls in place and the later did not. And I’m not just speaking of a few technical controls: I mean a robust, highly mature information security program that has not just the technology but also the processes and training to respond properly when something does take place. So the security industry will be just fine. The difference is that companies who are judged to have done everything right, but still got hacked, will not suffer the shame that is still associated with being compromised. This will become commonplace, and an accepted part of doing business in the 21st century. The stigma is falling away. The only question will be whether or not you had your shop in order when it happened, and whether you responded appropriately. Consumer confidence in your company, and your stock price, will reflect this truth.
Two Approaches to Reducing Impact
Once we’ve accepted that the future path of risk reduction lies in reducing impact, we can start to look at ways to accomplish that. I see two primary ways to do so:
- Significantly Reduce the Impact of Common Compromises
This portion of the solution will have many technological components, including an idea I got from recent password compromise issues. I believe the networks of the future will store their data in a decentralized way that makes common compromises virtually useless.
In other words, access to data as a result of a low to mid-level compromise will not yield anything of use to attackers because they’ll only have a tiny percentage of what’s required to make the data usable. And getting the other requisite pieces would require failures across multiple other areas in the company’s defenses.
Savvy readers will know that this will not thwart attackers completely, and that they will move their attacks to locations and users who can access the complete data set (someone has to have access to it, afterall). We’re already seeing this today, actually, but this is not a reason to abandon this approach. The fewer the systems that grant access to the real data, and the more effort it takes to get to the real data, the more time and chance we have of finding and stopping them.
- Reduce the Value of the Data That is Stolen
This one is harder, but it’s still possible if enough people are involved and energy is put into it. Examples here could include modifying the requirements for getting a credit card, procuring a mortgage, etc. If additional factors (stronger factors) are added to the equation we could see the impact of SSNs or CCNs being stolen plummet significantly.
In short, not only make it less of an issue if you’re compromised, but make the leaked data less valuable as well. Again, this is something that’d have to be done at multiple levels, with multiple organizations helping, but any progress would be significant progress.
However it’s accomplished — and it’ll definitely be through a myriad of approaches — this shift is upon us. We’ve had a good run at catching the prevention unicorn, and we need to maintain our ground and continue to innovate in that area to some degree. But the true progress in future risk reduction will come from reducing the impact of breaches. The sooner we accept this the better.
- This is a concept I wrote up many years ago, and a presentation that I’ve done a couple of times in the past. I’m simply consolidating the concept and the presentation in one place here.