In my opinion ICT Security is not about being certain. Simply because it is impossible to know for certain that you are secure. The maximum we can as persons or as companies reach a certain feeling of comfort. The feeling of comfort is good. It keeps you warm and happy and you do not lose any sleep. You might think this turns out to be a happy blog. Keep up your level of comfort and stop reading any further.
The feeling of comfort is where the trouble begins. ICT Security is a monster with many heads and believe it or not it grows different heads by the minute. There is a lot we know about this dreaded monster. We know about virus protection for instance, about passwords, about firewalls. We have taken measures in these well known heads of this monster. Comfortable right? Right! Knowing what we know is good because we also know what we should do against it. There are hardly companies that will state that they do not have measures in place against these monsters.
March 2012 Google’s Digital Marketing Evangelist Avinash Kaushik revisited former defense secretary Donald Rumsfeld’s now infamous 2002 statement:
“There are known knowns. There are things we know that we know.
There are known unknowns. That is to say, there are things that we now know we don’t know.
But there are also unknown unknowns. There are things we do not know we don’t know.”
So the know knows leads to a comfortable feeling. So, what about the know unknows? Here you go. Starting to get uncomfortable doesn’t it? What do we know for instance about Advanced Persistent Threat (APT), and especially about APT in our own company? What do we know about social engineering in relation to our company? Whe know it’s probably there or lurking around the corner, but we do not know what, how, when, where and so on.
There is one really good thing about the known unknowns. In most cases they challenge all or at least some in your organization to explore. So parts of the know unknowns become therefore know knows. Right?
And now for the last category, the unknow unknows. What do you feel about this category? Comfortable right? Probably not entirely right, assuming that you have feeling with the topic. But what about the C-level in your company? I think that the unknown unknows provide comfort for a lot of decision makers. This feeling of comfort is often reflected in the difficulty to abtain budget for ICT Security. It is fairly easy to get money for virus protection, but what about implementing procedures for targeting the unknow unknows about ICT Security.
Is this picture fair? Probably not entirely. But I think the stakes of the game have changed. Cybercrime is big business. Many countries incorporate cyber warfare tactics and techniques into their military arsenal. Can this turn out into a new kind of cold war or weapon rat race? I think it might. The question is: “can we allow ourselves to get comfortable when it comes to ICT Security?”