The ‘fowl’ truth about security

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months. Clifford Stoll

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.Clifford Stoll

Dear Vorticians,

Ducks quack in regional dialects and ducks from London are the loudest of all.

There, I’ve finally said it.

In what might be the oddest news item I ran across all week, Middlesex University researcher Victoria de Rijke – also known as Dr. Quack – reported that those inner-city ducks not only sounded different but were far louder than their Cornish cousins, who were “soft and chilled out.” (Interesting image. One pictures, perhaps, a mallard sipping a lightly chilled Pinot Grigio.)

That’s probably because those Cockney fowl have to compete against all the other city noises, such as sirens and Posh Spice. De Rijke’s Quack Project (honest) was established to answer the age-old question weighing on everyone’s mind: Do ducks everywhere quack the same? Now we know. Ducks do not speak in one voice.

But CIOs do when it comes to the issue of security. It’s becoming an increasing drag on their extended enterprise efforts and a drain on precious resources.

I had the pleasure a couple weeks back of chairing a roundtable of prestigious CIOs and top security officers from major corporations, all of which have devoted considerable energy and money to solving security problems over the years. But far from feeling more protected and enabled, these IT leaders feel their companies face an increasing array of threats, and that they lack the information about best practices and risk-to-cost analysis that would help them solve, or at least better manage, their security challenges.

Some of the key points raised during the discussion:

* CIOS are struggling to get a handle on emerging threats, or the “unknown unknown,” as one participant said. Attacks are morphing and blending and the time to prepare for and deal with attacks has dwindled from days to hours to minutes. Companies need an “early warning system.”

* Companies face growing “reputational consequences” for security breaches. As businesses become more reliant on extended enterprise operations and the Internet itself, they run a far greater risk of damaging their hard-won brands and public images as a result of security risks. One participant described the companies in the room as “massively interdependent” on one another in a great electronic supply chain that’s threatened by security problems. Another wondered aloud who’s ultimately responsible for ensuring the stability of that ecosystem, likening it to the electric grid and recalling the sudden, massive power outage that struck major portions of the U.S. last year. Could the network version of that crisis occur soon?

* CIOs in the room said that security fears have slowed their efforts to offshore operations. Some readers might find that a good thing, as Martha Stewart (who may get a new trial) would say, but it is indicative of the friction caused by security problems. The same is true for working with service providers (such as ASPs) domestically.

* In what can only be chilling for anyone interested in innovation and investment, the CIOs said that security concerns have made them reluctant to bring startups into their IT shops. New companies and new technologies mean increased complexity and added risk. One speaker said his company wants everything to be “simple, common and global.” It’s difficult to get any traction as a newcomer in that environment.

* Compliance with new regulations and requirements like Sarbanes-Oxley and HIPAA is a nightmare – and one that is likely to get scarier with each passing year. On Sarbanes-Oxley, IT executives are, frankly, resentful that they’re spending more and more time working with auditors on something that was the auditor’s job to begin with: ensuring that financial results are accurate. What constitutes compliance is squishy and ever changing, but always more difficult to achieve with each passing redefinition. Complying with myriad international privacy rules is a separate species of nightmare entirely.

* Mobility may face a big clampdown. CIOs are very concerned about the proliferation of mobile devices and, thus, the propagation of valuable corporate and customer data, not to mention the security problems these roaming, rambling machines bring back to the company. Look for new limits on what’s acquired and how the devices and data are used.

Interestingly, the companies participating did not believe that strong security could become a competitive advantage in the marketplace. In fact, they seemed loath to promote their security efforts, lest they become the target of every twisted code-nut in the world.

The discussion was sobering – even though I believed I understood the depth of the security challenge. So, tell me, my dear Vorticians, does this problem get worse before it gets better? Will it get ever get better or is this an ongoing arms race?

Send your thoughts through the decidedly un-secure channel that is e-mail. You can reach me at jgallant@vortex.net. Bye for now.