Imagine you’re the CEO of a thriving company and you’ve been horrified by the news of the Sony hack, the Target breach and the litany of security issues that have plagued big companies in recent years. You swear you’re going to do whatever’s necessary to make sure it won’t happen to your company. But do you realize what that really means?
At a holiday party, a guy starts chatting you up while you’re working on your fourth martini. And he speaks directly to your fears. He knows someone who could help you out with your security problems — make it so that you would never suffer the fate of those poor suckers at those other companies. You have to admit, you’re intrigued because you never want to be in the position of explaining to your board of directors why you were the latest victim.
You get the name and run a background check and find out she’s good. Very good. Her experience includes stints with military intelligence, the NSA and a number of successful security startups. You’re ready to write the check just to hear her pearls of wisdom.
The day finally arrives and your assistant shows the consultant into your office where she quickly takes a seat, takes a speck of dust off her pants and looks you in the eye.
“You’re really willing to do whatever I say?” she asks.
You tell her that if she has a plan, you’ll follow it. You wait anxiously to hear what she’s going to say.
The first thing you need to do, she tells you, is disconnect from the Internet. Before you can object, she holds up a hand and asks that you let her finish. You start to sweat, and she keeps going.
You’ll need to take away all of the laptops. There will be no smartphones or tablets allowed in the building. You’ll use desktop computers without USB ports or DVD drives. There should be no way that you can save to an external device. Everything will be connected on a highly secure, completely private internal network accessible with two-factor authentication.
You won’t use any cloud services and there will be absolutely no mobile apps. If you run a website, you will keep it simple and with very little information. Contact information will be through a form and you won’t have an address for the company beyond a post office box.
You will hire highly skilled security personnel. Everyone will leave their phones at the door on the way into the building — including you. Everyone will be searched entering and leaving the building — including you. No exceptions. You will put cameras everywhere and you will have your security staff monitor them in a control room to make sure nobody is doing anything suspicious.
Anyone caught with a prohibited device will be fired immediately.
You will keep partnerships to a minimum, and all guests, including customers, will be subjected to the same strict security regimen, and no one will be allowed to carry any devices of any kind inside.
“I couldn’t possibly do that,” you say to her wide-eyed. “I would be sacrificing my entire business, handicapping and harassing my employees and my customers, all in the name of protecting my company.”
“So it seems you wouldn’t do whatever it takes, would you?”
—
Playing Security Chess
So if you can’t lock down your company, what can you do?
You have to give up the notion of complete security and place your bets on things you can control because there is an organized effort to attack your networks. And depending on your type of business, the more determined these parties might be.
Yet it seems that the further we advance technologically, the less secure we become. David Cowan a partner with venture capital firm Bessemer Ventures says one of the reasons for that is because technology has become so intertwined in our lives.
“Broadly speaking we are adopting technology that’s becoming more and more pervasive in our lives and jobs. The opportunities for cybercrime, mischief and [mayhem] has grown over the years and there is more motivation to do so,” he told me.
As Cowan explained, back in the 90s, hacking was about ego, but over time it has evolved to include fraud, identity theft and other criminal activity — and more recently nation-states partaking in surveillance and organized cyber-mayhem.
But as one security startup CEO told me recently, we are doing better than we think. You may find that hard to believe if you’re a CEO trying desperately to avoid being tomorrow’s headline. But he described a giant chess match between the people trying to get into our computer systems and those trying to keep them out.
As bad as it seems today, this security executive says if it weren’t for the checks and balances that security companies have put in place, it would be far worse and we couldn’t be using the internet to conduct business the way we do.
Walking the Security Tightrope
So we are left with a balancing act: We can’t be stupid, but neither can we sacrifice the business in the name of protecting it. As Cowan explains, security isn’t your highest priority as an organization. Being a good company is your first priority, and security should be part of that.
“Job one should be providing functionality your users need to get jobs done and have good experience. For most of the interesting applications in the world, trust is an integral part of good user experience,” he said. And if you want to be trusted, security needs to be at least an important component.
From a broader perspective, you cannot have a completely secure company that has been stripped of internal freedom, precisely for the same reason you cannot have a democratic society that is safe from any attack and maintain anything approaching privacy. If you decide, as our example above highlights, that you will do anything to be secure, you end up with a company so locked down that it will not be able to maintain a staff, let alone a staff that you would want to work with.
Surely there is always a tradeoff between security and privacy, and everyone has their own tolerance level regarding which side of this they should fall on. In the end, you have to ask yourself how much you squeeze the individual factor out of the equation. Can you honestly turn your workers into drones incapable of malicious activity, let alone honest mistakes?
When it comes down to it, you would no doubt agree with the CEO in our example that you cannot prioritize security over the company itself. No CEO would. You just have to be able to reconcile the fact that you could experience a breach — and that’s the tricky part.
Alex Wilhelm contributed to this post.