When we think about the endless procession of breaches in the news, it’s only natural for IT security pros to think “Phew. Glad that wasn’t me.” But the problem is, it is you. Breaches are not events-in-a-vacuum that only impact the breached – to the outside world, they are an indictment of the entire system of collecting, storing and protecting data. Even if you’ve never been breached, your customers have little trust that you won’t be in the future, simply because it seems everyone gets breached sooner or later. It’s like being an honest used car salesman - customers are going to assume you’re crooked anyway.
One by one, breaches are changing ordinary people’s behavior in many ways. A friend of mine (an ordinary not-terribly-technical kind of guy) told me he recently stopped participating in an annual U.S. Labor Department survey that he’d done since he was a teen in the 1970s. This survey asks some pretty personal questions about finances, social habits and the like, and tracks how those evolve over time. He was considered an extremely valuable data source, due to his nearly four decades of participation.
Last year, though, it suddenly occurred to him that this intensely personal information could be horribly embarrassing if it ever got out, so when the survey rep tried to schedule him for this year, he asked what protections were in place for his data. The rep could not explain anything beyond “all of us are sworn to confidentiality,” so he said he would not participate again until someone with some technical knowledge could describe in plain English how his data was being protected. The rep promised to set up a call with such a person, but never did. Instead the rep called back in a few weeks and offered him more money to participate. (He declined, showing that you can’t buy trust.)
What does all this mean? It means that we all face an enormous challenge in restoring trust among the general public. How do we do that? So we have to start by looking at ourselves – if we can’t trust our own infrastructure and processes, how on earth can we expect the outside world to trust us? The Cisco 2017 Security Capabilities Benchmark Study found that organizations can investigate only 56% of the security alerts they receive on a given day. When you can’t even look at 44% of the security alerts coming your way, by definition it means you can’t trust your security infrastructure and operations. And if you can’t trust yourself, how do you expect anybody to trust you?