In information security, trust is a cornerstone in all that we do. We trust the technology we use to help defend our systems, we trust our staff to comply with policies and not to fall victim to phishing emails, we trust those we appoint to manage our sensitive data not to divulge it to others, we trust our business partners to take the necessary steps to protect information we share with them, and we trust our governments to provide a safe business environment and to protect our rights.
The recent revelations by former NSA employee Edward Snowden that the US government has been snooping on the Internet traffic of innocent people and placing bugs in the embassies of the European Union highlights the damage caused by breaking the trust. As a result of these allegations, the EU has suspended trade talks with the US and has also threatened to suspend any data sharing with the US.
The above revelations have not come as a surprise to many in our industry. However, it has brought the whole issue of trust to the fore. Many businesses are now thinking twice about engaging with cloud service providers, especially US based ones.
Others are now looking with distrust at the operating systems, software, and hardware they use. And, of course, Edward Snowden’s actions have highlighted the insider threat and how much can employees with privileged access to key data and systems be trusted.
When we examine the different elements that we need to trust in order to enable our organizations conduct business securely, we can only conclude that there are many links in that “chain of trust”.
Like any chain, the chain of trust is only as strong as its weakest link. For most organizations that chain will be made up of the software and hardware their systems run on, providers who provide them with services such hosting, telecoms and support, partner companies and their staff, companies to which they outsource some of their work, the users in the organization, and even government(s).
The above list highlights just some of the various entities that organizations have to trust in other to operate securely. After all, if they trust nobody then they will not be able to function. This is where we as security professionals come into play. Our role is to ensure that the levels of trust our organizations require are provided and maintained. Yet, in many cases we fail to achieve this goal. I believe part of that problem is that we have not allowed the business to build their complete trust in us and in how we provide solutions to the business.
Typically - and very often for good and genuine reasons - the information security function in many organizations is viewed as blocking business or delaying projects and business initiatives. This results in the common scenario where security is often the last to know about a new IT or business initiative and then has to scramble to provide security input against a looming business deadline. In many cases this means systems go live to meet a business deadline with security issues still outstanding. Promises that these issues will be addressed in the future are always made, but are never fulfilled.