As I try to do every month, here is some [hopefully] thought-provoking information for you as we look to the excitement and uncertainty to come in 2024. This time of year, it is customary for some to undertake challenges to test themselves or create resolutions to better themselves. Iâm no different. I like to use the start of the new year like a well shaken Etch-o-Sketch [clean]. For me, one is to continue to work to improve my cyber security vigilance and awareness, apply effective changes to reduce risk, increase IT security for ISHPI (and you and me) [yes, Iâm that dull!] and I would like you to think about joining me in a resolution. This past week, I recalled an old opinion piece by an IT security guru, it was about moving âBeyond Security Theaterâ. Ironically, it has nothing to do with IT Security, but physical security, terrorist type activity.
The BLUF is (and I recommend reading the article as well) if we stop to look, there is a lot of âSecurity Theaterâ or âsecurity measures that make people feel more secure without doing anything to actually improve their securityâ. The big question is, does the security measures we are using really help make us safer and remove risk today or is it akin to the pretend protection of hiding under a blanket?
How did I get here you may ask, well after reading some of the end of year cyber reviews this week, this concept was touched upon by a fellow CISO that some of what we do in IT Security is just for show now (Theater) and really isnât helping secure us anymore. It either stems from âthatâs the way we have always done itâ or it is part of âchecking the boxâ syndrome. To be fair, the control might have been effective 30 years ago or is an appropriate application of a control that has evolved out of being applicable anymore but is still mandated by compliance (think password and length requirements). Increasing the requirement for password length is just âSecurity Theaterâ today, it makes us feel like we are more secure [heck that is an 18-character password, no one could guess it right?!] but it doesnât really hinder a bad actor very much with todayâs compute power. An analogy would be having a lock on your screen door, then adding to that lock by putting a pole to stop the screen door from sliding open. Yes, it will stop a person from easily opening the door in a traditional manner, but it is just a screen door, easy to circumvent the controls you put in place. Please donât think Iâm saying that locks and passwords donât have their place, they do. This is just an example [a stepping off point, if you will] to start critically thinking about how we implement controls to prevent malicious behavior (physical and technical) so that what we spend time (and money) on is actually providing the desired security and risk reduction â not just making us feel like we are secure. That is my goal for 2024, to critically assess and adjust how we (ISHPI, our clients, and ourselves) implement and verify the security controls we are using are appropriate and looking for those âlocks on a screen doorâ that really arenât doing much for us than providing a false sense of security (and probably hindering productivity)!
Newsletter By:Â Rob Collings, ISHPI’s VP of Cybersecurity | CISO
January 2, 2024