Failures of integrity

First newsletter, so it may be a bit waffly as I work out a voice. Some introductory stuff, explaining why I think you should be reading what I say and paying attention. And, of course, a bit about the systemic problems we have with integrity in the industry.

A bit of history

I've argued before that cyber security (or computer security, technical security, whatever term is fashionable today) began somewhere between 1970 and 1972. It's an argument I'll stand behind, against those who say that it began with Creeper in 1971, in the same way medicine started when people began studying and trying to treat disease, not with the first infection.

What that means is the field was somewhere around 18 years old when Sarah and Chris Bore founded the original incarnation of Bores in 1988. Given that one of the first customers was GCHQ (it's okay, we can talk about it) it's safe to say that security has always been part of the family business. Another early project was working on interview cameras for legal investigations - building fully auditable, tamper-proof devices.

I won't cover the full history, I just want to clarify that Jennifer Bruton and myself grew up in an environment where technical and security matters were casual dinner table conversation. We were incredibly privileged in this, and even more so now that Jennifer Bruton has joined the family business along with her husband James Bruton (yes, that does get confusing) bringing their own unique perspectives to what we do.

This comes to mind because over Easter dinner we got into one of those discussions, about reputation, integrity and trust. Being a family business means that every time we work with someone we are very much putting our name on the line. We're also small (technically I think we're a micro), and being a family (literally, not metaphorically in that 'it's like a family' marketing way) trust and open communication is integral to the way we work, and absolutely vital to make working together possible.

We don't have the resources to cover up if we make a mistake, so instead we have to admit it, learn from it, and move forward.

Integrity failures in security

We're used to talking about integrity failures as part of the CIA triad (that'll be a future newsletter - I have some sacred cows I'm intending to barbecue as I find the right words). Over the last few years, I've been much more concerned by them as less of a technical security impact and much more as a constant background noise constantly weakening the foundations we try to build on.

You may have come across one of my rants about pointless lists. Possibly you've even heard me complaining about manipulative posting tactics to get followers (e.g. 820 million people will see this post, comment below to connect with them). You might even have caught my talk in Cardiff (given under a false name) talking about impostors in the industry.

On top of that we have well-known companies selling security 'solutions' (feel free to substitute snake oil or magic bullets) credibly accused of deceptive marketing and, in some cases, undergoing investigation for fraud.

This lack of integrity weakens the entire industry, destroying any foundations of trust that could otherwise be built and putting us all in a position of constant doubt and questioning. That takes energy that could be used elsewhere, and even the best due diligence attempts crumble under the sheer constant weight of mis- and disinformation noise out there.

Problems come in that some of the biggest culprits have either huge and fanatical followings (where they're individuals), or very large and well-resourced PR agencies and departments backing them.

Attempts have been made by some companies to vet others and become a trusted source. The problem is, integrity is incredibly hard to scale, and due diligence done thoroughly requires significant resources, so many of these attempts either fail or end up being too large to maintain without compromising quality.

I have yet to meet a single person in the industry who doesn't have some story about due diligence failures being ignored, or being so superficial that they're meaningless. Everyone knows of technology bought to tick a box with no real consideration or investigation. And that's without touching on the topic of audits (the fact certain companies keep being fined for ethical breaches, yet somehow are still the 'trusted' option still astounds me).

I don't have an easy answer to this, but it is something we need to recognise and talk about openly to get to an answer. We need to be willing to confront the issue. Naming and shaming may not be practical for the vast majority, due to the scale of resources at the disposal of the bad actors. Despite that, we can at least build awareness of the red flags in the same way we do when training people to avoid phishing.

Frankly, if we can't at least start to fix the integrity problem in our industry, it may be time to give up, unplug the internet, and bunker down.