Hello Cybersecurity Community and Friends,
Some of you will remember in the movie “Pretty in Pink;” great movie if you haven’t seen it – I would say a classic in its genre for the time.
Now you may be asking: why am I referencing a ‘80s movie to a modern phenomenon that is happening every single day—the data breach? Trust me friends, there is a reason.
I see three components to data breaches: #1 – Data, #2 – People/Process, #3 – Technology.
- Andie (Molly Ringwald) is an outcast at her Chicago high school and isn’t viewed as popular by any means; let’s say Andie represents Data
- Ducky (Jon Cryer) who plays Andie’s quirky classmate and who has a crush on her; let’s say Ducky represents People / Process
- Blane (Andrew McCarthy) one of the rich and popular kids at school and asks Andie out—which seems too good to be true; let’s say represents Technology
Movie spoiler alert – Ducky (played by Jon Cryer) didn’t get the girl Andie (played by Molly Ringwald) at the end. Andie instead ends up with Blane (played by Andrew McCarthy) where Blane is one of the rich and popular kids at school.
The intersection of these three characters, how they interact and the ultimate decision that Andie makes is very indicative of today’s data breach. Andie wants to become “popular” and thinks by dating Blane and following a checklist of “popular” actions – Andie will be “popular”. Andie will be secure!
Many organizations see technology and technological checklists as what they need to achieve to protect against a data breach. All the while organizations may, at times, minimize the importance of people and business process as better suited to protect an organization from a data breach. It is very similar to the movie: where most viewers felt that Andie should be with Ducky, as he truly understood Andie and complimented her needs—making her a better person, and ultimately truly secure. But alas, this is a movie, and picking who “should Andie be with” is a low-risk decision. However, picking between technology and people/process is perceived as a high-risk decision when it really should be a low risk decision to focus on “both” equally.
Why isn’t focusing solely on technology and technology security checklists working? As Josephine Wolff wrote for Slate in her article about the OPM breach:
“So why there isn’t a straightforward checklist of security measures? For one thing, those measures are constantly changing and evolving over time as we witness new attacks and develop new defenses. For another, an organization’s security needs depend to a large extent on the particular organization—what kind of data and assets they’re protecting, who they’re protecting it from, what kinds of access and services they need for their regular day-to-day functioning. It’s hard to come up with a one-size-fits-all set of security measures that would make sense for every possible target.”
Wolff goes on to write, “There are some fairly comprehensive catalogs of security measures, including the encyclopedic ‘NIST Special Publication 800-53’ and the less massive but still pretty extensive list of ‘20 Critical Security Controls for Effective Cyber Defense.’ But while they can be helpful for people trying to get a handle on all the different available tools and techniques, they provide relatively little guidance about where an organization should start and what it should prioritize when it comes to security.”
Think of these guidelines as Blane’s advice to Andie: here read this and you will start to understand how to become popular and rich! The reality is Andie following Blane’s advice, or us as security professionals following these guides, doesn’t get us any quicker to “understanding” how to achieve our respective goals. These security measures and frameworks provide little guidance around where an organization should start and what should an organization prioritize in the context of security.
This is where Ducky comes into the picture and provides the guidance to Andie to be successful; and this is where People/Process are key to providing the guidance necessary for these security measures and checklists to be successful within an organization. As Wolff writes, “Moreover, defending against computer security breaches often involves a number of different defenders—not just the organization protecting sensitive data, but also the organizations involved in transporting and storing that data. Identifying necessary defenses is not just a matter of understanding your particular organization, what it protects, and who it’s protecting those assets from; it’s also about the other people you rely on—and who rely on you—and what their respective defensive roles are, and how your defenses interact with, and ideally augment, theirs.” Focusing on People/Process will provide the guidance necessary to successfully navigate and implement security measures for the technology within your organization. Andie would not have been successful with Blane if it weren’t for Ducky!
I may sit in the camp that Andie should have been with Ducky as opposed to Blane at the end of the movie. However, our Andie (our organization’s data) really needs Ducky (People/Process) and Blane (Technology) working together to be secure. Don’t let a data breach be your “Pretty in Pink” moment. Don’t ignore your “Ducky”s!
Please comment below or email us at email@example.com. Regards, Kyle