I’m currently reading the book “The Black Swan” by Nassim Nicholas Taleb, and it’s been a while since I have been this captured by a book. Taleb convincingly argues that we all (humans, that is) are failing to recognize the great events that change history – aka the “black swans”. He is exploring these highly improbable, but high-impact events, and dives into why we simply fail to predict or even try to guard against them.
I’m not done reading yet (I’m savoring every minute of it), but I find the parallel to my own profession are quite obvious: We security professionals are blissfully unaware of the game-changing events that will occur within information security, even though we have made it our profession to be able to predict it.
Yes, we do put a lot of effort into making predictions on the evolution of malware, advanced persistant threaths, cyber warfare etc., but how accurate are we really? I mean, given thousands of security researchers, someone is always makes the right call, but that doesn’t mean that we are any good at predicting, does it? If we were any good at it, the cyber criminals would have a hard time making money (unless they were as good or better at predicting than us).
But they are making money. Yet we behave like we know whats going on, when we are in fact no better on predicting whats next than a person with no knowledge on the subject whatsoever. It’s the same as “Doctor Doom” that predicted the credit crunch: Given millions of over-paid financial advisors, one shmuck was bound to be right. Pure luck?
Many predictions made in the field today is based on what happened last year (empiric data and “trends”), what CISO’s say they fear the next year to some worldwide survey (systematic hearsay) or what some security guru has blogged about recently (I’m shooting myself in the foot here, but: “less systematic” hearsay).
But how do we know that these data are any relevant for the future? Knowledge of them may enable you to shield your company from repetitive, predictable events (say, viruses, drive-by hacks, etc.), but will fail completely if someone does something unpredictable like getting access to your data through your backup provider. So how secure are we really? It’s easy to say in retrospective that an event could have been foreseen, but there are infinite ways of behaving unpredictable, and I know from personal experience that the word “infinite” and “IT Security Budget” is seldom uttered in the same sentence by management.
The truth is that we really can’t predict these events. Even so; these are the kind of events that can or will incur a major loss and maybe put you out of business. They have costs associated that are in a different league than those associated with virus attacks et cetera. But they are rare. At least we think they are rare, because no one (well, few) are reporting them. This does not mean that they do not occur, for some reason companies are not too eager to publish that their security has been breached. So we deal with both known unknowns (we know that there are some things that we don’t know, for example how many breaches that take place each day) and unknown unknowns (we don’t know that there are some things that we don’t know, which of course is even more serious). Donald Rumsfeld has a much ridiculed, but entirely correct definition at a press conference explaining the lack of WMDs in Iraq:
The known unknowns we can do something about; by sharing incident response and breach data we can make sure we are all up to speed and that we are cooperating against a common threat, and minimize the “unknown playing field”. The unknown unknowns are, in their nature, more elusive. These are also the events that often has the greatest impact, given that no one expects them. Including information security professionals.
So if we’re not any good at predicting the future and these “black swans” aka unknown unknowns, how can we claim to be able to protect our customers? Working within security today feels more like running from leak to leak on a sinking ship, trying to plug holes as they pop up all over the place. I think this also will be the case in the future – as long as business wants to trade risk (or, to make the consumer take a risk unknowingly) for money, security won’t be a priority. I’m not saying that trading risk for money is a bad idea – taking risk is vital for most economic environments to function properly.
But security holes are here to stay, since we cannot predict them and because it is good business to ship applications with holes in them. Which of course is good news for me, since I’m the guy running from leak to leak, but bad news for the community as a whole.