Since I began working at Bromium, I've noticed a very specific transformation among information security executives I have met. Some of you will recall the story of the CIO who told me that his employees were not allowed to visit Facebook, for compliance purposes. I recently caught up with him, nearly a year later, and he told me that a few months after we talked it was discovered a high ranking executive in his company had their Twitter account phished and the attackers then used those Twitter credentials to gain access to a corporate SaaS account. Fortunately the attack was stopped before any sensitive information got out, but it served as a wake-up call, a sort of corporate black swan event, setting in motion the cascading epiphany that plausible deniability does not yield dismissal of accountability.
It's well known among motorcyclists that when approaching a cross street, a car driver may come to a full stop, stare at a motorcycle and then, not seeing a car (the expected visual cue), pull out in front of the motorcycle, colliding with it. This phenomenon is called "Inattentional Blindness". But to not "see" something, even innocently, such as in the aforementioned case, doesn't preclude a person from being held accountable for the events they set in motion.
To that end, I believe more and more security professionals, already aware that saying "no" to users does not yield cessation of undesirable activity, are coming to terms with their accountability for risk – regardless of whether it's due to user activity within or outside of policy. As such, it's time to adopt reality-based risk assessments: Some users are always going to operate outside of policy, and since we know we cannot enforce policy at the user level, we must invest in infrastructure that is robust to mistakes and policy circumvention.
This is my last week at Bromium. I'm moving on to pursue other adventures. But upon leaving, I feel an incredible sense of accomplishment. Not only for myself and the amazing team here at Bromium, but for the information security practice as a whole, for maturing beyond investment in infrastructure that does a better job of enforcing the "no", and moving forward to solutions that securely enable the "yes".
Post a Comment