I committed a crime in order to write this column. I stole Kevin Mitnick's book. You know Kevin Mitnick. He's the famously felonious weasel who lies, cheats and steals his way into other people's computer systems. He's a hero to hackerdom. But rather than contribute to his royalties or sales, I used his suggested techniques of "social engineering" to filch a copy from his publisher. It felt good. Thanks, Kevin.
In fact, reading Mitnick's book was a powerful experience. Not because the book was well-written - although it's not bad - but because it tells story after painful story of people who got digitally screwed because they trusted jerks such as him. They tried to be helpful; they tried to be responsive; they tried to be kind. That was their fatal mistake. When a Kevin "Klone" pretends to be from a help desk, you know who's really getting helped. The essential Mitnick message is that "trust" creates vulnerability. Trust is the gift that makes Mitnicks possible.
That's what makes implementing network security so hard. It isn't that people are always the weakest link, or that the code has more holes than Swiss cheese, or even that Russian mobsters now have the resources and incentive to crack any system they choose. It's that effective network security means building systems that tell people they can't be trusted.
Most reasonable people - your customers, your employees and your suppliers - resent being treated as untrustworthy. The natural human tendency is to resist initiatives that presume we are potential liars, cheats and thieves. Yes, we'll tolerate memorising a password or two, but how many hoops do you seriously want us to jump through? You're kidding, right?
Computer security is doomed to become even more cumbersome and costly. Why? Because the more dependent organisations become on their networks, the less trusting they can afford to be. That's the Net-centric enterprise security paradox: The more access I need to be more effective, the more effectively I need to be monitored. The more network access we give to our customers, suppliers and ourselves, the more network protection we all need. Everyone becomes more vulnerable to being Mitnicked or SQL Slammed.
This is where CIOs get screwed. Unlike virtually every other facet of network economics, computer security doesn't enjoy economies of scale. Security inflicts diseconomies of scale. Giving more people more passwords hardly represents an "economy of scale". To the contrary. It represents new complexity that has to be managed, tracked and audited. That's both computationally and organisationally expensive.
Network security costs disproportionately accelerate as organisational Net-centricity increases. I've personally witnessed recognition of how this reality infuriates top management. By the time one bank calculated the costs of making certain databases available to both customers and loan officers, the proposal's ROI was ruined. Security killed its CRM. Executives spoiled by favourable network economics believe their security spend should, at worst, be a relatively fixed percentage of the network budget. Never happens.
Security costs almost always spike and surge beyond expectations. The underlying dynamic is inescapable. When more people have more real-time access to more data of ever more value, the risks associated with security breaches exponentially increase.
Those problems can't be solved. They can only be managed. Most companies manage them by telling the CIOs that they're in charge of network security. Thanks a lot.
The serious question is, how should CIOs manage these excruciating trade-offs between network economies of scale and network security's diseconomies of scale? My answer is that CIOs should tell their operating committees and their boards that it isn't up to IT to define what "trust" means or what it's financially worth.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.