Introduction

Abstract

There are two primary choices in life: to accept conditions as they exist, or accept the responsibility for changing them.

There are two primary choices in life: to accept conditions as they exist, or accept the responsibility for changing them.

—Denis Waitley

In January 2002, I was hired to run a new Intel internal program called Security and Business Continuity. The program had been created following the major security events of the previous year (9/11 and the Code Red/Nimda viruses) and it focused primarily on the availability risks at that time. I had no background in technical security, but I had been at Intel for nearly 10 years in a variety of business-related positions, mostly in finance. As I learned about information risk during the first few months, it became apparent to me that the world was starting to change rapidly and that a “perfect storm” of risk was beginning to brew. In June 2002, I put together a diagram (Figure 1-1) to explain the risks to my manager, Intel’s CIO, and anyone who would listen to me. The diagram has been updated slightly since then to more explicitly highlight the geo-political forces that are a key part of the threat, vulnerability, and regulatory risk landscape.

Figure 1-1.

The perfect storm of information risk

Today, it is clear that my view of the world was essentially accurate. Security breaches and intrusions are reported almost daily at organizations of all sizes, legal and regulatory issues related to technology use continue to grow, and geo-politics have surged to the forefront of some of these discussions in a post-Snowden era. Cyber attacks and data breaches are now considered the biggest threats to business continuity, according to a recent survey (Business Continuity Institute 2016).

But the key question that I asked in the first edition of this book is still valid. Is information security really effective? Given the rapid evolution of new technologies and uses, does the information security group even need to exist?

Obviously, this is a somewhat rhetorical question. I cannot imagine that any sizeable organization would operate well without an information security function. But the real issue is whether the information security group should continue to exist as it does today, with its traditional mission and vision . It is clear from the prevalence of breaches and compromises that we have not kept up with the threats, and we appear to be slipping farther behind as the world grows more volatile, uncertain, and ambiguous. It is no wonder that we have fallen behind: as the world of technology expands exponentially, so do the technology-related threats and vulnerabilities, yet our ability to manage those security and privacy risks has progressed only at a linear rate. As a result, there is a widening gap between the risks and the controls. In fact, many organizations have essentially given up actively trying to prevent compromises and have defaulted to reliance on after-the-fact detection and response tools.

As information risk and security professionals, we should be asking ourselves pointed questions if we wish to remain valuable and relevant to our organizations. Why do we exist? What should our role be? How are new consumer and Internet of Things (IoT) technologies shaping what we do, and can we shape the world of these new technologies and usage models? How is the evolving threat landscape shaping us, and can we shape the threat landscape? Given the bewildering pace at which technology changes and new threats appear, how do we focus and prioritize our workload? What skills do we need?

Traditionally, information security groups in businesses and other organizations have taken a relatively narrow view of security risks, which resulted in a correspondingly narrow charter. We focused on specific types of threats, such as malware. To combat these threats, we applied technical security controls. In an attempt to protect against attacks and stop them reaching business applications and employees’ PCs, we fortified the network perimeter using firewalls and intrusion detection software. To prevent unauthorized entry to data centers, we installed physical access control systems. Overall, our thinking revolved around how to lock down information assets to minimize security risks, and how to reactively detect and respond to risks as they presented themselves.

Today, however, I believe that this narrow scope not only fails to reflect the full range of technology-related risk to the business; it is detrimental to the business overall. Because this limited view misses many of the risks that affect the organization, it leaves areas of risk unmitigated and therefore leaves the organization vulnerable in those areas. It also makes us vulnerable to missing the interplay between risks and controls: by implementing controls to mitigate one risk, we may actually create a different risk. And by focusing primarily on detection and response, we are not preventing harm; we are just trying to limit the damage.

As I’ll explain in this book, we need to shift our primary focus to adopt a broader view of risk that reflects the pervasiveness of technology today. Organizations still need traditional security controls, but they are only part of the picture.

There are several reasons for this. All stem from the reality that technology plays an essential role in most business activities and in people’s daily lives.

Technology has become the central nervous system of a business, supporting the flow of information that drives each business process from product development to sales. In addition, as I’ll discuss throughout this book, almost every company is becoming a supplier of technology in some form, as technology becomes a vital element of most products, services, and infrastructure from cars and household appliances to the power grid.

The role of technology in peoples’ personal lives has expanded dramatically, too, and the boundaries between business and personal use of technology are blurring. Marketers want to use social media to reach more consumers. Employees want to use their personal smartphones to access corporate e-mail.

Meanwhile, the regulatory environment is expanding rapidly, affecting the way that information systems must manage personal, financial, and other information in order to comply—and introducing a whole new area of IT-related business risks.

Threats are also evolving quickly, as attackers develop more sophisticated techniques, often targeted at individuals, which can penetrate or bypass controls such as network firewalls, traditional antivirus solutions, and outdated access control mechanisms such as passwords.

In combination, these factors create a set of interdependent risks to a business’s information and technology, from its internal information systems to the products and services provided to its customers, as shown in Figure 1-2.

Figure 1-2.

Managing the interdependent set of technology-related risks

Traditional security or other control type thinkers would respond to this situation by saying “no” to any technology that introduces new risks. Or perhaps they would allow a new technology but try to heavily restrict it to a narrow segment of the employee population. An example of this over the past few years was the view at some companies that marketers should not engage consumers with social media on the company’s web site because this meant accumulating personal information that increased the risk of noncompliance with privacy regulations. Another example was that some companies didn’t allow employees to use personal devices because they were less secure than managed business PCs.

The reality is that because IT is now integrated into everything that an organization does, security groups cannot simply focus on locking down information assets to minimize risk. Restricting the use of information can constrain or even disable the organization, hindering its ability to act and slowing its response to changing market conditions. A narrow focus on minimizing risk therefore introduces a larger danger: it can threaten a business’s ability to compete in an increasingly fast-moving environment .

FormalPara The Challenges of Rising Security Costs and Skills Shortages

Growing recognition of the importance of security and privacy , triggered largely by highly publicized breaches, has led to sharply increasing security spending and an accompanying skills shortage. If the current trajectory continues, Gartner Inc. predicts that by 2017 the typical IT organization will spend up to 30 percent of its budget on risk, security, and compliance, and will allocate 10 percent of its people to these security functions. That is triple the levels of 2011 (Gartner 2015b). At the same time, skill shortages may worsen; more than a third of security managers surveyed in 2015 reported significant obstacles in implementing security projects due to inadequate staffing (Morgan 2015). One question is how much of the projected cost increase is due to under-investment in the past, and how much is due to the fact that organizations have invested in technologies that do not adequately reduce risk. To break the cycle, as I’ll explain in Chapter 7, we need a new security model and tools that create a demonstrable decrease in the risk curve, with a greater focus on effective prevention and machine learning to reduce cost and manual effort.

Protect to Enable^®

To understand how the role of information security needs to change, we need to re-examine our purpose. We need to Start with Why, as author Simon Sinek argues convincingly in his book of the same name (Portfolio, 2009). Why does the information security group exist?

As I considered this question back in 2010, and discussed it with other members of the risk and security team that I led at Intel, I realized that we needed to redefine our mission. Like the IT organization as a whole, we exist to enable the business, to help deliver IT capabilities that provide competitive differentiation. Rather than focusing primarily on locking down assets, the mission of the information risk and security group must shift to enabling the business while applying a reasonable level of protection. To put it another way, we provide the protection that enables information to flow through the organization, our partners, and our customers. We also provide the protection for the technology that our organizations create to provide new experiences and opportunities for our customers.

The core competencies of information security groups—such as risk analysis, business continuity, incident response, and security controls—remain equally relevant as the scope of information-related risk expands to new areas, such as technology-enabled products and services, as well as privacy and financial regulations. But rather than saying “no” to new initiatives, we need to figure out how to say “yes” and think creatively about how to manage the risk.

During my time at Intel, the security group’s mission evolved toward this goal as we helped define solutions to a variety of technology challenges. For example, my team recognized as early as 2002 that implementing wireless networks within Intel’s offices could help make the workforce more productive and increase their job satisfaction by letting them more easily connect using their laptops from meeting rooms, cafeterias, and other locations. At the time, many businesses avoided installing wireless networks within their facilities because of the risk of eavesdropping or because of the cost. We learned pretty quickly that when we restricted wireless LAN deployments or charged departments additional fees to connect, we actually generated more risks. This was because the departments would buy their own access points and operate them in an insecure fashion. We recognized that the benefits of installing wireless LANs across the company outweighed the risks, and we mitigated those risks using security controls such as device authentication and transport encryption. By 2004, that approach had enabled ubiquitous wireless and mobile computing that propelled productivity and actually reduced risks.

A more recent example that many organizations have experienced: for years, Intel didn’t allow employees to use personal smartphones for business, due to concerns about privacy and other risks such data theft. However, we experienced growing demand from employees soon after the launch of the iPhone 3 in 2009. We realized that letting them use these consumer devices to access e-mail and other corporate systems would help boost employee satisfaction and productivity.

By working closely with legal and human resources (HR) groups , we defined security controls and usage policies that enabled us to begin allowing access to corporate e-mail and calendars from employee-owned smartphones in early 2010. The initiative was highly successful, with a massive uptake by employees, overwhelmingly positive feedback, and proven productivity benefits (Evered and Rub 2010, Miller and Varga 2011). The success of the initiative led to its selection for an in-depth Ivey Business School case study (Compeau et al. 2013).

The transformation within the information security group was reflected in changes to our mission statement and top priorities over the years. In 2003, the internal mission statement reflected the traditional focus and scope of information security organizations: the overarching goal was to protect information assets and minimize business disruption.

By 2010 it was clear to me that we needed to simplify our purpose and also broaden the scope. So in 2011, I changed our mission to Protect to Enable to express the idea that our primary goal was to find ways to enable the business while providing the protection necessary to reduce the risk to an acceptable level.

For a few years after this, I thought of information risk and security as a balancing act . I felt that we needed to try to find the right balance between providing open access to technology and information to enable the business and locking down assets. Providing open access allows greater business agility. The business can move more quickly with fewer restrictions. Employees can work more freely, and the faster flow of information allows the company to grow and transform.

But as my responsibilities grew to encompass security and privacy not only for internal systems but also for all aspects of products and services, I realized that a balancing act was the wrong analogy. We should not start from a position of making trade-offs between risks and enablement, or between security and privacy. So I began using a different model that I now feel more accurately represents the challenges of managing information risk: we should take on the harder task of optimizing what is really a multivariate equation of risk dynamics and business objectives in order to create solutions that are “tuned to target ,” as shown in Figure 1-3.

Figure 1-3.

Tuned to target: optimizing the equation to meet business objectives and customer needs

For each problem and solution, we try to optimize or “tune” five primary variables :

• Risk and Compliance: Meeting security, privacy and compliance requirements, based on the organization’s risk tolerance and security and privacy principles.

• Cost and Maintenance: The total cost of controls, factoring in deployment and maintenance costs.

• Productivity and User Experience: The extent to which controls hinder business velocity by making it harder for users to do their jobs. I call this control friction. In addition, if we make it difficult or time-consuming for users to follow security policies or use security tools, they’ll ignore them, thus creating more risks. (See the discussion of the 9 Box of Controls in Chapter 7).

• Market Objectives: The company’s goals, such as increased market share.

• Customer Needs: Our customer’s privacy and security needs, as well as their overall experience.

Ultimately there may be cases where we cannot fully optimize each item and we need to make trade-offs, but that doesn’t mean we shouldn’t try.

I hope that this model may help information security groups at other organizations think about how these priorities relate to their own businesses. The optimization points for each variable and objective will depend on factors such as the organization’s overall culture, technical acumen, and appetite for risk.

Building Trust

I believe that if computing is to continue to improve the world we live in, rather than endanger it, it must be trustworthy. Unfortunately, as I describe in Chapter 9, the privacy and security breaches that have hit the headlines in recent years have weakened the public’s trust in technology, according to the Edelman Trust Barometer, a widely used indicator. The rapid implementation of new technologies emerged as a new factor in depressing trust overall. “By a two-to-one margin, respondents in all nations feel the new developments in business are going too fast and there is not adequate testing,” the study concluded (Edelman 2015).

To rebuild trust in technology, we need to ensure the data we enter into our systems is both secure and private. At Cylance, we strive to cultivate a work environment where security, privacy, and trust are an integral part of the evolving culture of the company and foundational to the design, development, and delivery of our products and services.

To analyze the context that led to my approach to the risk and security mission, and helped to shape top priorities, I’ll explore some of the key changes in the landscape: the rapidly expanding regulatory environment, the emergence of new devices and technologies, and the changing threat landscape.

Keeping the Company Legal: The Regulatory Flood

Until the early 2000s, I didn’t see regulatory compliance as a top priority for information security. That’s simply because there weren’t many regulations that impacted IT, at least in the United States. There were a few exceptions that affected a subset of companies, including Intel, such as controls on certain high-tech exports . And in European countries, there were already regulations that sought to protect personal information. But in general, IT groups didn’t have to dedicate much of their time, or budget, to regulatory compliance.

The change in the last decade has been extraordinary. We have seen a flood of new regulations implemented at local, national, and international levels. They affect the storage and protection of information across the entire business, from the use of personal information for HR and marketing purposes, to financial data, to the discovery of almost any type of document or electronic communication in response to lawsuits. And with growing concerns about cyberwarfare, cyberterrorism, and hacktivism, several countries are evaluating additional cybersecurity legislation in an attempt to protect critical infrastructure and make industries more accountable for strengthening security controls.

In most cases, these regulations do not aim to specifically define IT capabilities ; however, because information is stored electronically, there are huge implications for IT. The controls defined in the regulations ultimately must be implemented in the organization’s systems. These systems include more than just technology: they consist of people, procedures, devices, and applications. The business risk includes a significant IT-related component, but we must take a holistic view of risk management. Noncompliance can damage a company’s brand image, profitability, and stock price—not just through resulting legal problems, but through bad publicity.

Let’s take a brief look at some of the key areas and regulations that are having the biggest impact.

Privacy: Protecting Personal Information

For many US companies, the wake-up call was the California data security breach notification law (State Bill 1386), which became effective in 2003. A key aspect of this law requires companies that store personal information to notify the owner of the information in the event of a known or suspected security breach. Businesses could reduce their exposure, as well as the risk to individuals, by encrypting personal data.

After this, other states quickly followed suit, implementing regulations that generally follow the basic tenets of California’s original law: companies must promptly disclose a data breach to customers, usually in writing.

In addition, federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) , have addressed specific categories of personal information. Further regulations have been added in other countries, too, such as the updated data-protection privacy laws implemented in Europe (European Commission 2011, 2012).

The implications of these local and national regulations extend beyond geographical boundaries. As companies do more business online, they’re increasingly likely to acquire and store information about customers from other countries, and find that they also need to comply with regulations around the world. Those regulations may change, with implications for businesses in multiple countries. In late 2015, for example, Europe’s highest court struck down the so-called “safe harbor” agreement that had allowed companies to move information about consumers between the European Union and the United States. The replacement EU-US Privacy Shield, agreed after three months of negotiations, aimed to address European privacy concerns with written guarantees that US intelligence agencies would not have indiscriminate access to Europeans’ personal data stored in the US (Scott 2016).

The issue can become even more complex when businesses outsource application development or HR functions to providers located in yet another country. Now, software developers in India may be building and operating the systems that collect information about Europeans for US companies, making it even more difficult for businesses to navigate compliance with all relevant privacy regulations.

Personalization vs. Privacy

Privacy concerns are set to become even more important over time, as businesses increasingly seek to create online experiences tailored to the needs of individual users. The more a business knows about each individual, the more it can personalize services and offer targeted advertising based on income and preferences.

Many users also like personalized services. If a web site “remembers” them, they don’t need to enter the same information each time they visit the site, and they’re more likely to see content and offers relevant to their needs. In fact, companies may be at a disadvantage if they don’t personalize services because users may prefer a web site from a competitor that offers a more streamlined experience.

However, there’s an inevitable conflict between personalization and privacy. The personalization trend is fueling the growth of an industry focused on collecting, analyzing, and reselling information about individuals. This industry existed long before the Web; personal information has been used in mass-mailing campaigns for decades. However, the Web is both increasing demand for this information while providing new ways to collect it. Companies now have opportunities to collect information from multiple online sources, correlate and analyze this information, and then sell it to others. And of course, consumers’ fears that information will be lost or misused have increased accordingly.

For businesses, however, offering personalized services also can increase compliance concerns. As companies store more personal information, they are responsible for safeguarding that information and are liable for any loss or compromise. In many parts of the world, companies are also required to explain why they are collecting personal data, how they are protecting it, and how long they will keep it.

We can expect continuing tension due to conflicting desires for personalization and privacy—and more regulation as a result. Governments clearly believe that businesses cannot be relied upon to regulate themselves, so they will continue to add regulations designed to protect the privacy of individuals. Meanwhile, businesses will seek new ways to collect more information so that they can further personalize services. Developing compliance strategies and guidelines becomes even more pressing.

Financial Regulations

Financial regulation surfaced as a top priority in the United States with the Sarbanes-Oxley Act (SOX ), which emerged from the public outrage over corporate and financial accounting scandals at companies such as Enron and WorldCom. These scandals cost investors billions of dollars and damaged public confidence. To help avoid similar catastrophes in the future, SOX imposed financial tracking requirements designed to ensure that a company’s financial reporting is accurate and that there hasn’t been fraud or manipulation. Once enacted, SOX required publicly held companies to meet specific financial reporting requirements by the end of 2004.

Although the Sarbanes-Oxley Act doesn’t mandate specific technology controls, it has major implications for IT. Ensuring financial integrity requires controls to be implemented within everyday financial processes. In practice, this means they must be enforced within the IT applications and infrastructure that support those processes. Purchases above specific thresholds may require approval from the finance group; the underlying applications have to support this workflow, and to be sure the applications function correctly, businesses need to establish the integrity of the underlying computer infrastructure. Compliance with financial regulations therefore creates a series of IT requirements, from making sure that applications provide the right functionality to implementing access controls and updating software.

E-Discovery

Regulations governing the discovery of information for litigation purposes officially extended their reach into the electronic realm in 2006. That’s when the US Supreme Court’s amendments to the Federal Rules of Civil Procedure explicitly created the requirement for e-discovery—the requirement to archive and retrieve electronic records such as e-mail and instant messages.

This created an immediate need not just to archive information, but to automate its retrieval. This is because records must be produced in a timely way, and manual retrieval would take too long and be prohibitively expensive. The business risks of noncompliance are considerable: unlike many countries, US practice allows for potentially massive information disclosure obligations in litigation. Companies that fail to meet e-discovery requirements may experience repercussions that include legal sanctions. The implications are correspondingly onerous. Lawsuits may draw on information that is several years old, so businesses must have the capability to quickly search and access archived information as well as current data. E-discovery is further complicated by the growth of cloud computing models such as software as a service (SaaS). As organizations outsource more business processes and data to cloud service suppliers, they need to ensure that their suppliers comply with their e-discovery needs.

Expanding Scope of Regulation

The regulatory universe continues to expand, with the likelihood of more regulations that explicitly address IT, as new technologies emerge and governments try to control its use and inevitable misuse. In the US, lawmakers have proposed legislation to increase the security and privacy of connected cars, following a widely publicized demonstration in which researchers hacked into a Jeep and took over its controls. The Food and Drug Administration (FDA) has published cybersecurity guidelines describing requirements for manufacturers of Internet-connected medical devices (FDA 2016).

The attempts by various governments to gain access to technology for the purposes of combating terrorism have generated considerable impact and controversy. In China, a new anti-terrorism law requires that technology companies hand over technical information and help with decryption when the police or state security agents demand it for investigating or preventing terrorist cases (Buckley 2015). In the US, even greater controversy was generated by the US Government’s attempts to force Apple Computer to create “back doors” that make it easier to access information on iPhones used by terrorists or criminals. In India, after terrorists used unsecured Wi-Fi access points to communicate information about their attacks, the government created a legal requirement that any access point must be secured (Government of India Department of Telecommunications 2009).

In other countries, businesses that operate unsecured Wi-Fi access points (a common way to provide Internet access for visitors) may find themselves facing other legal problems. For example, unscrupulous individuals may tap into the network to access web sites for purposes such as illegally downloading music or pornography. Access appears to originate from the company hosting the access point, which may then find itself on the receiving end of correspondence or raids from the music industry or government agencies.

The Rapid Proliferation of Information, Devices, and Things

The computing environment is growing as rapidly as the regulatory environment. The sheer volume of information is exploding, and it is being stored across a rapidly growing array of devices. The Internet of Things will drive yet another exponential increase: Gartner, Inc. estimates that during 2016, 5.5 million new “things” will be connected every day, and Cisco expects 50 billion connected devices by 2020. In the not too distant future, almost any device with a power supply may have an IP address and will be capable of communicating—and being attacked—over the Internet.

Recent headlines have highlighted the growing threat activity focused on IoT, as I’ll discuss further in Chapter 7. Researchers hacked into a Jeep via its Internet-connected entertainment system and remotely controlled the vehicle’s functions (Greenberg 2015); other researchers showed that thousands of medical devices in hospitals are vulnerable to attack.

At the same time, the boundaries between work and personal technology have in some cases completely dissolved. Whether businesses officially allow it or not, employees are increasingly using their personal devices for work by sending e-mails from and storing information on their personal smartphones and computers. Furthermore, people may forward e-mail from business accounts to personal accounts created on external systems, without considering that when they signed up for the personal account, they agreed to a license that allows the external provider to scrutinize their e-mails.

The use of personal technology such as smartphones can considerably enhance business productivity because employees can now communicate from anywhere at any time. However, this also creates a more complex, fragmented environment with more potential points of attack. Information is now exposed on millions of new devices and disparate external networks, many of which do not have the same type of security controls as corporate PCs, and all of which are outside corporate network firewalls. Not surprisingly, mobile malware has become a major industry, and is still growing: one survey found more than 1,200 known families of Android malware in 2014, more than double the number found the previous year (Millman 2015).

The boundaries between work and personal lives are dissolving in other ways, too. Employees store more information on the Internet—on business and consumer social media sites, for example—than ever before. These sites are powerful tools for communicating with audiences outside the corporate firewall.

However, just as there’s an industry gathering and analyzing personal information for marketing purposes, information on the Web can be used for competitive intelligence or for less legitimate purposes. Users store snippets of information in multiple places on the Web. Although each of these snippets may not provide much information, when pieced together they can provide new intelligence not just about the individual, but also about the organizations to which the person belongs. Each item is like a single pixel in a digital picture. Alone, it doesn’t convey much information; but step back, aggregating information from a wider range of sources, and those pixels combine to form a portrait. In the same way, pieces of information strewn across a variety of unrelated web sites—the name of a department, workmates, pet names that might be used as passwords—can be linked together to create a picture of an individual and used for malicious purposes.

The Changing Threat Landscape

The threat landscape is evolving rapidly, with an increase in highly organized and well-funded groups capable of executing sustained attacks to achieve long-term goals, including cyberespionage, cyberterrorism, and cyberwarfare. These attackers, generally known as advanced persistent threats (APTs ), were originally thought to focus mainly on governments but more recently have also been shown to target private-sector organizations, with the goal of stealing intellectual property or simply causing damage. APTs include nation-state organizations, “hacktivist” groups attempting to publicize or further their cause, and organized crime. Hacktivists who said they were targeting oppressive regimes claimed responsibility for an attack that disabled more than 30,000 computers at the world’s biggest oil producer, Saudi Aramco. The FBI blamed North Korea for a crippling attack on Sony Pictures (Schmidt et al. 2015). In 2014, the US Justice Department indicted five Chinese military hackers for stealing trade secrets and other information from US companies in the nuclear power, metals, and solar industries (Department of Justice 2014); in 2016, the US charged seven hackers linked to the Iranian government with hacking US banks and dam operations (Nakashima and Zapotosky 2016).

The steady rise of organized cybercrime online is entirely logical. As the exchange of money and information has moved online, organized crime has followed, focusing on theft of valuable assets such as intellectual property. This has spawned a mature malware industry that increasingly resembles the legitimate software industry, complete with a broad set of services, guarantees, and price competition among suppliers. Ransomware, which encrypts a victim’s data until a ransom is paid, is a recent trend.

Stealthy Malware

This evolving set of threat agents is using new, more sophisticated tools and methods to mount attacks. Once upon a time, attackers were amateurish and often driven by personal motives such as the prestige of bringing down a big company’s network. Accordingly, the arrival of malware on a user’s machine was easy to detect: the malware announced itself with icons or messages, and the system often became unusable.

Now the trend is toward malware that is stealthy and uses sophisticated techniques to avoid detection. Attackers plant malware that lies undetected over a long period while it captures information. Another common technique is to quietly spread malware by injecting malicious code into an unsuspecting company’s web site; users who visit the site then unknowingly download the code onto their systems.

Accompanying this is a shift from spam mass e-mails to carefully crafted spearphishing attacks aimed at individuals or specific groups . These typically use social engineering techniques, such as providing enough contextual or personal information in an e-mail to tempt people to download malware or click on a link to an infected web site created specifically for that purpose. Though more expensive to mount, spearphishing attacks can be enormously profitable to cybercriminals; an analysis by a supplier of anti-phishing solutions found that they were the primary initial attack method used by APTs in 2015; 22% of attacks were motivated by financial fraud or other crimes (PhishLabs 2016). We can expect these stealthy and targeted attacks to continue, with new methods emerging as necessary to circumvent defenses.

Nine Irrefutable Laws of Information Risk

Over the years, I’ve identified a number of “laws” that encapsulate some of the lessons I’ve learned, and that seem to remain true despite the continually changing environment. I call these the Nine Irrefutable Laws of Information Risk (with acknowledgements to Culp (2000), Venables (2008), Lindstrom (2008), and other sources):

• Law #1: Information wants to be free. People want to talk, post, and share information—and they increase risk by doing so. Some examples:

  A senior executive at a major technology company updated his profile on a business social networking site. In doing so, he inadvertently pre-announced a shift in his employer’s strategy—a mistake that was promptly and gleefully picked up by the press.

  An employee found a novel way to fix a piece of equipment more quickly and, to help others across the company, decided to videotape the procedure. Because video files are so large, it didn’t make sense to e-mail the video, so the employee posted it online. Unfortunately, by doing so, he exposed confidential information.

  At one time or another, many people have experienced this disconcerting event: when composing a message, the e-mail software helpfully autofills the address field, but it selects the wrong name from the address book. You hit Send without realizing the error, thus dispatching a company-confidential message to someone outside the organization.

  It’s worth noting that that this rule is not new. Information has always wanted to be free: think of the World War II slogan “loose lips sink ships.” People communicate, and sometimes they share more information than they should. It’s just the methods that have changed, and the fact that, with the Internet, a carelessly mentioned detail is instantly available to anyone across the globe.

• Law #2: Code wants to be wrong. We will never have 100 percent error-free software. In fact, the more widely used the software, the more malicious individuals will hunt for vulnerabilities in the code. They have found and exploited errors in the world’s most widely used web sites, productivity applications, and enterprise business software.

• Law #3: Services want to be on. On any computer, some background processes always need to be running, and these can be exploited by attackers. These could even be security software processes used for everyday activities like keeping systems up-to-date with software patches or monitoring for malware.

• Law #4: Users want to click. People naturally tend to click when they see links, buttons, or prompts. Malware creators know this, and they take advantage of it. In fact, the entire phishing industry is based on the assumption that users will click on enticing e-mails, web sites, or pop-up ads, triggering the download of malicious code to their systems. The evolution of highly targeted attacks such as spearphishing has taken this to a new level, as when e-mails purporting to be letters discussing legal action from a circuit court were sent to senior executives at a number of companies.

• Law #5: Even a security feature can be used for harm. Security tools can be exploited by attackers, just like other software. This means that laws 2, 3, and 4 are true for security capabilities, too. Networking equipment supplier Juniper Networks discovered that its firewall software contained “unauthorized code” that surreptitiously decrypted virtual private network traffic (Goodin 2015). Security researchers have uncovered vulnerabilities that can be exploited by attackers in products from well—known security suppliers, including Kaspersky Labs and FireEye (Ashford 2015).

• Law #6: The efficacy of a control deteriorates with time. Once put in place, security controls tend to remain static, but the environment in which they operate is dynamic. Organizations tend to “set and forget”: to install security controls and then fail to update them with security patches or to properly maintain access lists. As attackers find new ways to circumvent or compromise the controls, their effectiveness progressively degrades. As Rob Joyce, who heads the National Security Agency’s elite hacking unit, put it, an organization with static defenses will drift to the back of the herd, where it is easily picked off by a predator (see Chapter 6).

• Law#7: Code needs to execute. All software, good or bad, needs to execute in order to perform its intended function. Malware is created with malicious intent, but until it executes, it is dormant and can do no harm. Exploits can therefore be intercepted and stopped by security tools that inspect code before execution, identify good from bad, and prevent bad code from executing.

• Law #8: Controls create friction. Security controls can slow users and business processes by impacting system performance or forcing them to use cumbersome processes. High-friction controls therefore impose a “drag coefficient” on business velocity. Users react to a high degree of control friction by circumventing the controls whenever possible; as a result, the controls can actually introduce new risks as business users go around IT to get their jobs done. Control friction is an important consideration when designing security architectures (see the discussion on the 9 Box of Controls in Chapter 7)

• Law #9: As our digital opportunities grow, so does our obligation to do the right thing. As technology becomes embedded into the fabric of our lives, exploits that take advantage of technology vulnerabilities may increasingly impact the well-being of almost everyone in society. So it is particularly important that we apply the right ethical values to shape the way we design, develop, and implement these technologies. As I explain in Chapter 9, security and privacy should now be considered a corporate social responsibility.

A New Approach to Managing Risk

Given the ever-broadening role of technology and the resulting information-related business risk , we need a new approach to information security built on the concept of protecting to enable. This approach should

• Incorporate privacy and regulatory compliance by design, taking a holistic view of information risk. Also, because all companies are moving toward using technology not only for internal operations but also in products and services, the information security organization must work closely with other business groups to understand and manage risk.

• Recognize that people and information, not the enterprise network boundary, are the security perimeter. Information is no longer restricted to tightly managed systems within data centers; it now also resides outside the firewall, on users’ personal devices, and on the Internet. Managing risk therefore requires a range of new tools, including user awareness and effective security controls for personal devices.

• Be dynamic and flexible enough to quickly adapt to new technologies and threats. A static security model will inevitably be overtaken by the dynamic nature of threats. We need security architectures that can rapidly learn and adapt to new devices and evolving threats, with a high degree of automation.

Above all, we need to accomplish a shift in thinking, adjusting our primary focus to enabling the business, and then thinking creatively about how we can do so while managing the risk. Our roles will only increase in importance as technology becomes even more prevalent. Our ability to protect information security and privacy will be essential to building the trust that enables our organizations to take advantage of new digital opportunities.