Is the Internet Secure Enough?
How could it be? Have you read the headlines, seen the regulatory requirements, or experienced the hysteria?
And yet those millenials will give away any information they have for a free taco. They seem to trust the Internet, and yet most of us don’t.
Trust is an interesting concept in digital business and the new collaborative economy. The dictionary defines trust as the firm belief in the ability, reliability or strength of someone… or something. I made the mistake of searching the internet for trust models and this is a fraction of what popped up:
Here’s what I learned. Don’t go to the Internet to learn about trust models.
Trust is a web.
- Do you trust the Uber driver who may have less training and certification than the driver from a regulated cab or limo company?
- If you are a homeowner, are you ready to throw your property up on Airbnb? How much do you trust the strangers you will be inviting to stay in your home?
- Your customers trust your company. Failure has customer satisfaction and revenue implications.
- Your executives trust you. Failure there has salary and career implications.
- PhDs study the trust relationship between pilots and aircraft automation.
- We all trust technologies. Do you trust cloud?
- Do you trust your employees? Your security people sure don’t because they keep trying to lock everything down in the name of protecting your company.
Trust is never absolute. It sits on a sliding scale.
Those millenials may give away all their information for a taco, but they draw the line when you ask them for information about their friends… or if you cross a creepy line in mobile marketing. So even those crazy millenials have limits on their trust.
There’s a power company in California that put up a website in the 1990s to communicate with their customers. That worked out well so they put up on-line billing. Then some genius decided to hook their nuclear power plants to the Internet. The point is that each of these requires higher levels of protection and more trust.
Even identity and access management has become more “dynamic.” It’s not just usernames and passwords anymore. Increasingly it is how are you coming in, and where are you coming from? The more I know about you, the more willing I will be to give you access to sensitive information. The less I know about you, the more likely I am to keep you in a box away from the sensitive data.
Once you are comfortable with this idea that trust sits on a sliding scale, then you can work with it. Manipulate it. Maybe generate a little more trust …or a little less trust.
You are all familiar with service levels. Would you like bronze, silver, or gold service? Each of these comes with a little more protection, a little more trust …and a little more cost. We are now introducing the idea of choice into the mix.
Trust can be manipulated in technology. Gartner has this concept of a spectrum of trust in mobility. We have defined 6 different categories of trust including the platform, container, app, file system, cloud, and viewer. In each of these categories you can deploy a variety of technologies that will influence how much trust you have in your mobility deployment.
By 2016, 75% of large enterprises will have deployed technologies falling into four or more categories on the Spectrum of Trust for securely providing access to enterprise resources from mobile devices, up from 30% today.
But technology has its limitations. It doesn’t generate perfect protections or perfect outcomes.
I ran data loss prevention (DLP) technology coverage at Gartner for 7 years. This is really cool technology that can recognize sensitive data on the fly and enact a policy. For example, if someone is sending out an email with sensitive information, DLP can catch this action and stop it. The downside is that with every email you stop, you are stopping a little bit of business.
When I took hundreds of calls in a year on DLP, the first question was always something like “I need to stop people from sending out emails with sensitive information. What product should I buy?”
My response was always the same, “Before we get into technologies, have you asked them not to?”
With the acceleration of digital business and capabilities like cloud, mobile and social, people are being offered more choice. We can’t just shut them down and control them with technologies. We have to trust people more and more.
Gartner has developed people-centric security (PCS) to help organizations motivate their employees to do the right thing. This is far beyond the security training of the past that mostly consisted of posters and mouse pads that say “Security is Important!” PCS is the integration of security and the social sciences. It is about giving people rights and responsibilities so that they have a stake in the security outcomes.
In PCS we have this concept of a trust space that is a measure of how much you trust people vs how much you rely on technology to make them do what you want. With digital business the trust space is growing for the people. You need to start thinking about this.
Trust an artifact of your decisions and your actions.
This is very good news! It means we have some control over the amount of trust we have. There is no such thing as perfect trust, and yet we still have to trust people and we need people to trust us. We need to trust technologies as well.
Risk management can help us because there is a relationship between trust and risk. As we accept more risk, we engender less trust and vice versa.
Risk management is the conscious recognition that we can’t protect ourselves from everything. Every day we make choices. On the one hand, we can invest in controls and experience less risk or save some money and experience more risk. These two points create a continuum.
It is a legitimate business decision to exist anywhere on this continuum.
This is also very good news! It means we have choices! The only mistake that everyone makes is they think they live on the right hand side (low risk), but in reality they live on the left hand side (high risk). Or they have no visibility in where they are on this continuum.
We are seeking a balance between the needs to protect and the needs to run the business.
To create this balance, we need to get better at making conscious decisions regarding risk. Earlier this year I was helping a large consumer software products company who wanted to accelerate their use of public cloud. I helped them build a risk model that guided decisions like which applications go into the cloud, which don’t, which data goes into the cloud, and what controls are necessary.
Every step of the way they were making conscious risk decisions that created efficiencies, saved costs, managed risk, and most importantly managed the trust relationship between them and their customers. They were managing risk to create real business value.
But making these decisions can be difficult and it requires you and your organization to think in a different way. It was summed up best by the head of risk and controls for a global bank who I was speaking to recently. He said “I don’t need risk experts. They always come in with an answer. I need people who can THINK!”
To help organizations think differently we provide research on a model to integrate risk and corporate performance. We also have a brand new risk treatment model that is designed to abstract out all the technology and help get the appropriate non-IT executives involved in making some serious risk-based decisions.
The best way to guide your decisions is to put them in a business context and connect them to desired business outcomes. Consider the following for success:
- How much trust to you really need? People and technologies.
- What are the business opportunities for enhanced trust? They are out there, you just need to find them.
- How much risk and security is appropriate?
This brings me back to my original question. Is the Internet secure enough?
The answer, my friends, is entirely up to you.