Risk Of a Perfect World
[Note to readers -- this article also appears on Medium]
It was an awful nightmare, the kind that is convincingly real.
You, me, everyone — we lived in a perfect and harmonized world where the Internet was free from subterfuge, deceit, and bad intent.
Inconceivable as it may seem, the Internet had become safe, even for children.
Somehow, in this perfect world, people were solely dedicated to pursuing meaningful and helpful endeavors. “Make the world a better place” was no longer a vapid tag line for Silicon Valley startups. In a strange and unforeseen turn of events, all peoples were putting the slogan into practice.
In this benevolent world — I realized with horror — security and compliance professionals had become irrelevant. (OK, smartasses, more irrelevant.)
Our various skillsets — identity, privacy, data governance, risk, compliance, secops, appsec — all gone the way of the dodo, the elevator operator, the travel agent, the pinsetter, and soon the baseball umpire.
Because no one was using the Internet except in the service of good. No individuals, no gangs, no crime syndicates were phishing in order to steal identities. No one was concerned with socially engineering admin rights on production systems in order to lurk, snoop, and exfiltrate. No one was enslaving IoT devices in botnets to launch DDoS attacks on critical infrastructure, or to generate fake ad traffic.
Social media accounts were real, not fake, and so was the information shared on social media sites. Anonymous social media identities existed only to protect journalists speaking truth to corruption and evil, without fear of retaliation; not to stalk, troll, or sew hatred.
To my dismay, applications were being developed securely, bulletproofed. With remarkable sanity, companies assigned 50 percent of their development budget to threat modelling, and static and dynamic code analysis, and just thinking like a hacker.
In this Lovecraftian hellscape, data might become corrupted or accidentally deleted, but breaches of sensitive data were rare, because sensitive data was classified, governed, handled, encrypted, archived, protected, and deleted according to a data governance plan and retention schedule.
When data was accidentally leaked, whomever discovered the leak alerted the rightful owner without a thought of taking advantage for personal gain.
Strangely disorienting it was to realize that system changes were planned and managed transparently, reviewed regularly, with accountability — who changed what, when, where, how, and why was always clear, approved, and documented for the record.
Each and every system was provisioned securely, from bare metal to virtual machines to containers, and monitored and measured in uniform fashion, without the need for human intervention.
The SOC was quieter than a VCR repair shop. Security teams were suffering from alert deprivation, not fatigue.
Security awareness training … quaint, retro, and no longer needed.
All hacking was benign, done to reveal vulnerabilities and flaws, not to take out systems.
All common vulnerabilities and exposures had been identified, cataloged, and, wait for it, expunged from open source libraries.
Zero day malware didn’t exist because no one was making it.
Crowd-sourced bug bounty programs — definitely not something to quit your day job for.
Cloud vendor risk didn’t need to be managed because all Saas offerings were certified against common, agreed-upon security frameworks, according to the nature of the service provided, before coming to market.
Ad blockers weren’t needed because no one would surreptitiously collect data and user info during a browser session with the intention of targeting people with ads or selling the information to marketing companies. It was considered uncool, so 2018.
Monolithic Internet giants were only concerned with providing value to the market, not capturing all the value for themselves, or cordoning the market off from the competition.
Encryption was still a thing. Poor encryption key management and encryption back doors weren’t.
Certs were always renewed ahead of expiration. Certificate authorities were 100 percent trustworthy.
Security badges were only required to identify who was in the building in the event of an emergency, not to keep out unauthorized personnel. No one who didn’t belong would try to get in.
All private information remained private to whomever owned it. All confidential information remained confidential to those permitted to see it.
User consent? No longer an issue. No one was aggregating and selling private data. All international data transfers were transparent, accountable, in accordance with global data protection rules.
No one had more or less access than what was agreed upon and needed to complete work, and if anyone did have more access than needed, they requested it be removed.
I woke up in a cold sweat, not sure of the time or the place, or how I fit in. In a panic, I reached for my security news feed.
Several new colossal breaches of health care customers’ personally identifiable data, the pwning and demise of another virtual currency exchange, a new flavor of the Mirai virus enslaving IoT devices, a spyware app released that exposes private photos, bank workers forced by darknet criminals to make fraudulent data transfers.
Thank God, all was still well with the world! Still more security, governance, risk, and compliance work than we could possibly manage, let alone catch up with. Management still didn’t understand what we did, or why they should care, and assumed that security and compliance problems would be resolved as soon as they arose, without negatively impacting the organization’s operations, release schedule, reputation, or financial bottom line.
We still struggled to overcome legacy technical debt that prevented us from meeting our objectives. We still didn’t communicate our roles and our accomplishments across the organization well. For the most part, our plans for prioritizing and addressing risk in a timely fashion relied on an ad hoc approach that didn’t clearly align to the company’s current roadmap or long-term strategic vision. We still couldn’t clearly explain how and where security and compliance had a positive impact on revenue.
I sighed with relief and drifted into a peaceful, re-assuring sleep. Knowing, with unshakeable faith, that tomorrow would be just as uncertain and perilous as the days before and the days to come.