You've warned against technological overconfidence. You gave some examples in your [Converge05] speech. One example...
was Enigma, the coding system the Germans used in WW II. It was inconceivable to them that the allies could break their codes. When things started to go badly, when all their U-Boats were being sunk, they wanted to know why. They dismissed the possibility that Enigma was being cracked because in their minds, there was no way mathematically that it could be broken. They were locked in a mathematical mindset and not a human mindset. Of course, they were using the same repetitive system to start every message. So the cryptographers on the other side already had part of the message because it was always the same.
In the 1960s a critical safeguard for the U.S. nuclear arsenal, the permissive action links [the cryptographic combination lock on nuclear weapons], were disabled because some generals decided this system would slow down any retaliation against the Soviets. The president and the secretary of defense had no idea. It was a very dangerous security failure. What's the lesson for today's information security professionals?
It goes to show that you can put in a high-tech system and throw in restrictions and someone will find a way to break it. Work in the predictable and rigid and it will fail. It also shows that it's critical to focus on people over technology. Systems don't solve problems. People do. It shows that you have to always assume your defenses can be broken. You've said the younger generation's security ideas aren't taken seriously enough…
Business leaders have to do a better job at learning from the younger generation. Look at Napster: Napster was a brilliant piece of innovation and the entertainment industry destroyed it. The industry's reaction to it shows they missed the point about how people want to get their music. It showed the resistance out there to listen to young people. The iPod wasn't all about Apple and their innovative thinking. It was a reaction to what the community has been saying it wants. And you see similar innovation getting stifled on the security front?
It concerns me. How do you get business leaders to change their thinking?
The kind of pressure that changes the way business is conducted always comes from the outside. I do think business people are under increased pressure to make security part of the business. But they still have work to do. What's the lesson if you're the young person developing the new security technology?
You have to help people see you as a business enabler. You have to make them see that you have something that will help their business grow.
His basic premise is very critical -- there are no longer hard boundaries with technology. There needs to be a lot more breakthrough thinking. The kind of thinking that led to Napster?
This article was originally published on SearchSecurity.com.
Dig Deeper on Information Security Policies, Procedures and Guidelines