I am big fan of Seth Godin, so when I read the below quote in one of his recent blog post, it not only caught my interest but also struck a chord in me, making me affirm my views on building resilience into Information Security in the 21st century
“A fever is a symptom. There's an underlying disease that causes it. Giving you a fever (sitting in a sauna) doesn't make you sick, and getting rid of the fever (in a cold bath, for example) doesn't always get rid of the illness, Spending time and money gaming symptoms and effects is common and urgent, but it's often true that you'd be better off focusing on the disease (the cause) instead. ”
While detecting the symptom and treating for it is absolutely important, we also need to look beyond the symptom to find the root cause behind it. Security Vulnerability in Software and Hardware we build and use in Information Technology is also a symptom. While actively looking for vulnerabilities and addressing them is critical, it is time we as leaders of Information Technology start looking beyond just the vulnerabilities and remediation and seek the root cause of them and address them proactively.
This is where it gets a little challenging. Information Technology is expanding at an exponential rate. We have removed some physical hurdles to enable this exponential growth, example with IPV6 we now have the capability to connect 340 Trillion Trillion Trillion (Undecilion) devices to the internet, just to compare the scale of this with IPV4 , If IPV4 with 4 billion devices was the size of a postage stamp, IPV6 is the size of our solar system. We are well on our way to connect 50 billion devices to the internet by the year 2020. It is not just the size (number of devices) that is increasing exponentially, it is also the intelligence of the systems we are building and connecting to the internet, With technologies like Big Data and machine learning algorithms we are entering a new era of predictive as well as preemptive intelligence, we are heralding in a new era of “Smart Things”. We do not know what technologies will exist and fuel this exponential growth in the next 5 years or 10 years. The only thing we know today is that at this current rate of expansion, we will reach a point of “Singularity” in Technology in 2045. According to Ray Kurzweil, by the year 2045, “human intelligence will enhance a billion-fold, thanks to high-tech brain extensions” to a phenomenon known as the “singularity,” a point at which humans and computers will merge into one. This sort of “two in one” will create serious challenges for Security and Ethics in the allocation of moral accountability between the two.
If technology is expanding at an exponential rate, it is quite natural and logical that if we do not do anything NOW, the security vulnerabilities and exploits will expand, not exponentially but logarithmically. How do we secure not just our technology but also our future, if we don’t know what is technology is going to look like in the future. Luckily for us, we humans have the ability to look for patterns and learn from our evolution. One reliable strategy when looking at an uncertain future, is to look at building some fundamental and universal capabilities that can help us build resilience in cyber security.
I will be talking about 4 fundamental capabilities that every enterprise should build for resilience in Information Security at HP Discover 2014, at Barcelona on December 4, 2014. The Topic is “Moving Beyond Vulnerability Testing” https://h30550.www3.hp.com/connect/sessionDetail.ww?SESSION_ID=5265