I feel better when I exercise. I’d probably do it even if it weren’t really good for my health. Really. But, a nice by-product of my “indulging” in a good Stairmaster workout is improved health. My desire to feel better drives me to exercise, not because I know it’s good for me. Conversely, I know friends who exercise only because they know they have to, and they’re miserable. They do it because their Doctor said so, but they’re not happy about.
There was a time, not long ago, when IT Departments paid attention to security – and specifically data access and control – because they had to; compliance requirements, imposed by a government entity, customers, or an industry standard forced them to hop on their compliance Stairmaster every day. They did what they had to do because they were told to, just like my miserable friends on the treadmill at the gym. Oh, there may have been an improved-security by-product of their compliance efforts, but security was rarely the impetus for the project.
People in the industry even developed official-sounding language for this kind of compulsory effort: compensating vs. effective controls. Compensating controls are deployed to check a box. Effective controls are deployed to check the bad guys. Traditionally, when faced with a decision to provide enough funding to voluntarily deploy an effective control, or, conversely, do just enough to satisfy an auditor’s requirement for a compensating control, only the most forward-looking organizations tended to choose the former.
Then along came Target. Then eBay, P.F. Chang’s, Home Depot, JP Morgan, etc. Almost overnight, the dog-bites-man story was that a week passed without a new high-profile, corporate data breach. But the straw that broke the camel’s back was unquestionably Sony. Sony learned the hard way – and the rest of the corporate world took notice – that there are worse things than losing money. Reputation and public embarrassment are two that spring to mind in the Sony breach context. Suddenly, commitment to actual, effective enterprise data security was no longer an unrealistic goal or expectation.
My hypothesis – that there’s a movement toward taking data security seriously – may have found some evidence in an informal poll our people at the RSA Conference last month conducted in our booth. We asked a number of questions, but the responses to one in particular caught my attention: “What would be the primary driver for your organization to spend more on insider threat protection?” Nearly 70% of survey respondents selected either “Awareness of Potential Threats” or “Brand/Reputation Protection”, while less than 30% chose “Compliance”. So, over 2/3 of the security professionals surveyed by our intrepid booth workers claimed to be pursuing “effective” security, and were no longer satisfied by simply passing an audit. (A summary of the survey’s results can be downloaded here.) As an aside, another survey questions revealed that 50% of organizations admitted to experiencing a data breach; that reality may also have something to do with the trend toward more effective security.
It wouldn’t surprise me if the same question would result in the exact opposite result if asked at the RSA Show in 2010, but I’m afraid we’d need a time machine to test that hypothesis. So, if you’ll excuse me, I’m late for a date with my Stairmaster.