{"id":15596,"date":"2011-10-17T00:00:00","date_gmt":"2011-10-16T23:00:00","guid":{"rendered":"https:\/\/members.dataiq.global\/articles\/marcome-fly-me-how-avoid-crash-landing\/"},"modified":"2024-05-29T13:35:22","modified_gmt":"2024-05-29T12:35:22","slug":"marcome-fly-me-how-avoid-crash-landing","status":"publish","type":"article","link":"https:\/\/www.dataiq.global\/devstage\/articles\/marcome-fly-me-how-avoid-crash-landing\/","title":{"rendered":"Come Fly With Me – How to avoid a crash landing"},"content":{"rendered":"

\"\"\u201cToilet take up too much space on plane. If it is an hour flight, two hours to Rome\u2026 to Paris\u2026you can hold it in!\u201d \u2013 Omar Baba, (\u201cCome Fly With Me\u201d episode 1).<\/strong><\/em>
In a recent discussion with a large organisation\u2019s security team, they announced that the company had implemented a new approach to launching security technologies. In a nutshell, the message was, \u201cthere\u2019s been a shift to buy solutions based on business requirements – ie, the business needs to know that it needs a solution. The entire security team is there to serve the business.\u201d<\/p>\n

I don\u2019t know about you, but I\u2019m at a loss to know how the business would even realise it needed a security solution! I thought the idea of organisations hiring IT security specialists was to help them advise the business of information security risks to ensure the operational practices, critical assets and integrity of the business was protected.<\/p>\n

Quite how the business is able to assess unmanaged and unquantified security and operational risks on its own is completely beyond me. Here\u2019s a real-world example of the dangers of this approach. A friend returning a few weeks ago from a vacation in South Africa arrived three hours late because heavy winds at the original destination meant they couldn\u2019t land safely.<\/p>\n

Apparently, the majority of business-class passengers on the re-routed flight were complaining that they would be late or miss meetings as a result. After all, it was the pilot\u2019s job to get them there on time. Fortunately the pilot was not influenced by \u201cbusiness requirements\u201d.<\/p>\n

A recent survey conducted by Venafi revealed that organisations are deploying increasing numbers of digital certificates and encryption technologies, but that these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions. More than half of those surveyed stated that, \u201cthey had experienced either stolen or unaccounted-for encryption keys, or they were uncertain if their organisations had lost, stolen or unaccounted-for encryption keys in general\u201d. In fact, they didn\u2019t know what was going on inside their own infrastructure.<\/p>\n

\"\"Taking this a step further, there are a number of critical areas where the \u201cbusiness\u201d really has very little understanding of what actually happens. For example, it is unlikely that business owners will have the understanding of the security risks that might be involved in security operations and encryption key management best practices. This includes things such as separation of duties, least privilege access, and the necessary processes and access controls.<\/p>\n

Although the business is likely to have requirements such as preventing application and service outages, it is unlikely that they will have any concept of what that means in practice and how to achieve it. For example, how would the business propose the IT department address the challenge of ensuring that digital certificates do not expire? Or what would the business propose as the answer to ensuring that key distribution and rotation is carried out in a secure manner?<\/p>\n

If compliance with the Data Protection Act, PCI DSS, etc, is a requirement, then it is even more unlikely that business owners understand the implications. For instance, how would the business propose that the IT department carry out the periodic changing of encryption keys when the keys have reached the end of their crypto-lifecycle validity period? And how would the business propose that the IT department implement best practices on cryptographic algorithms and key management, for example NIST Special Publication 800-57?<\/p>\n

\u201cEven the best encryption in the world is not going to stop an employee from bypassing procedures and making a mistake that results in data leakage, or a rogue insider from giving up sensitive information for money.\u201d That is the main message from a group of prominent cryptographers at the recent RSA Conference. According to the experts, \u201cencryption is sometimes deployed improperly, leaving gaping holes that can be used by attackers to steal sensitive data. Other times, encryption is used on a small subset of an organisation’s network \u2013 a risk-based decision that can have a profound effect on the security of interconnected networks.\u201d<\/p>\n

This often results from a business decision to try and ensure the most return with the least investment. The first order of business when any new C-level exec starts his or her tenure seems to be the cancellation of any investment in order to demonstrate their value to shareholders.
It\u2019s time that organisations realised that short-term shareholder benefits and executive bonuses based on maximising profit and limiting investment is never in the best, long-term interests of a business. As Omar Baba might say, \u201csafety check on airplane cost too much\u2026we have life jacket!\u201d<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

\u201cToilet take up too much space on plane. If it is an hour flight, two hours to Rome\u2026 to Paris…<\/p>\n","protected":false},"author":3,"featured_media":15597,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","_searchwp_excluded":"","footnotes":""},"categories":[129,398],"tags":[171],"pillar":[],"class_list":["post-15596","article","type-article","status-publish","format-standard","has-post-thumbnail","hentry","category-editorial","category-public","tag-data-governance"],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-05-20 22:44:44","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article\/15596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article"}],"about":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/types\/article"}],"author":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/comments?post=15596"}],"version-history":[{"count":0,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article\/15596\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/media\/15597"}],"wp:attachment":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/media?parent=15596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/categories?post=15596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/tags?post=15596"},{"taxonomy":"pillar","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/pillar?post=15596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}