Today’s unanswered question: Why do organizations think they are secure?

Recently I’ve been asking friends, colleagues and clients what they think are the most important unanswered questions in tech. I thank Ian Murphy, who works in the security industry, for the following conundrum:

“Why do companies with little or no real security experience think they know their environment better than anyone else? That is, because it’s ‘their”’ network, they feel best placed to identify attackers (even those with advanced techniques who hide in the normal traffic noise)?” 

It’s a good one. I’ve been working in IT for decades and I remain baffled how we lock up our houses, secure our vehicles, seal away our valuables and yet, in the corporate environment, senior executives still question the need for security expertise. Ignorance, it would appear, is bliss.

While the problem may be technological, I suspect the answer is inherently human. Back in the day, when I was an IT director for a subsidiary of Alcatel, it took a major security incident on my watch to trigger any release of monies from my superiors.

Now, I recognise that I am already looking guilty of transference — wasn’t I the person responsible for securing the network and servers? While this is true, anyone who has worked in this environment know just how complicated it can be to ask for security budget. I know I tried.

And indeed, I remember the feeling of “I told you so” even as I worked with my team to rebuild the previous day’s data sources from (offline – phew) optical backup drives. Suddenly the cheque book was open and we could self-authorise training courses and enforce stricter policies — it was an internal breach.

So, I’m not sure organizations do think they are inherently secure, or that it’s nobody else’s business. I think, a bit like that feeling as we head down a dirt track on a mountain bike, we simply hope that the bad things won’t happen. That might have worked back in the early 1990’s, at least some of the time.

The difference now however, is that bad things are happening, all the time. We have moved from a state of security by exception (where probability was relatively low, even if impact was high) to a situation where all organisations are under constant attack.

This isn’t the latest missive from the industry, keen to sell you some security solution, it’s a fact. The probability is very high that, right now, an automated software package will be trying to infiltrate your corporate boundary. The impact is as high as it ever was, so overall risk has increased.

Somehow however, we still retain the attitude that ignoring the problem will get us through. Denial has been a fantastically useful tool in our evolution, without which we may not have survived as a race.

Like the shell on a tortoise, however, it wasn’t designed to deal with the threats of technological age. Indeed, the smarter cybercriminals are basing their strategies on our hope against hope that the bad things will not happen to us.

So, the answer to the question is potentially not that companies think they know their environment better. Rather, that they don’t want some third party coming in and rubbing their noses in their own ignorance.

Indeed, I’ve heard of cases (perhaps we all have) where organizations have decided against an audit, lest it turn up things that will have to be dealt with. Which is quite staggering, if you think about it.

What’s the answer? Sometimes it takes a major breach to shake board-level execs out of their reverie. However, relying on this approach is possibly the highest-risk strategy of all.