Security, Sensationalism and the Rational Mind
Recently my thoughts on security have been swirling around a recent 60 Minutes segment on the Sony Pictures hack. In this segment, we learned that the sophistication of the attack carried out by North Korea was quite low. In fact, experts compared it to a moped relative to the F22-fighter-jet-level of sophisticated attacks that other hackers, including the U.S. Government, are capable of. Startlingly, despite the low level of sophistication of the Sony hack, security experts estimate that 90% of U.S. companies would be vulnerable to this same attack.
So how worried should other companies be? In my opinion, anyone interested in security should be reading and listening to Bruce Schneier. Although he is certainly an IT security expert, Schneier thinks broadly about security and how humans think about it. In his opinion humans are inept at rationally evaluating security risks and making good decisions. Most people don’t consider that every increase in security involves a trade-off in cost, speed, convenience or performance. And most people are irrational when it comes to making these trade-offs. We will typically take precautions that are not warranted, given the level of risk that exists, and we won’t take precautions that are warranted. This is largely due to media coverage of high profile events.
Schneier is often quoted as saying, “if it’s in the news, don’t worry about it.” And I think he’s right because common events are not newsworthy. Its only extraordinary events, i.e. rare and relatively low probability events, that attract audience interest. For example, many news viewers react to coverage of plane crashes and become fearful of flying. Yet, the same people who are afraid of flying think nothing of driving because auto accidents—even fatal ones—are so common that they never make even the local news. Whereas airline crashes are so uncommon that a non-fatal incident in Singapore is broadcast onto every television and computer in the world.
So how worried should your company be? And what level of precaution should you be willing to take to protect your data? Aside from regulatory requirements, I think every company should evaluate the level of risk and the cost of the trade-offs to mitigate specific risks. One risk most companies are taking is self-managing their physical infrastructure when it is practically impossible to achieve the level of security offered by IaaS providers like Amazon Web Services and Microsoft Azure. The most irrational part of this kind of risk taking is that mitigating the risk involves no trade-offs but many other positive gains. Moving to AWS, for example, will almost always reduce cost while increasing performance, agility and scalability—all while achieving a level of security not possible in the risky self-managed environments that many of the vulnerable 90% of companies operate in.
So why hasn’t every company moved to AWS? I think Bruce Schneier would have some thoughts. But, From my experience, it’s a misperception of the riskiness of the cloud of the riskiness in one’s current environment combined with a failure to keep pace with current developments in cloud technology. As malicious actors increase in sophistication rapidly, it becomes increasingly more important for us all to rationally evaluate our risk levels and seek the best ways to mitigate risk with the least amount of trade-offs. Cloud technologies offer us the opportunity to appropriate the expertise and focus of the best security minds to meet these challenges at a very low relative cost.
Blue Sentry is an advanced-tier Amazon Web Services (AWS) consulting partner specializing in application and data migrations, expert managed services and virtual desktops. Blue Sentry serves clients globally, with operations in North Carolina and South Carolina.