FEDSCOOP’s article “OMB releases finalized data strategy and draft ‘action plan’” highlights the current focus on and difficulty around transitioning from our current state of managing data storage devices to a future state where we operate within a unified Government...
In this four-part series, I’m going to be reflecting on, and challenging, some common “truths” about cybersecurity.
What I’ll discuss may make some people uncomfortable. Some of what I have to say will be inconvenient. But I hope that, by the end of the series, we can agree on a pragmatic way to
think more seriously about security, and act on it.
Today we all face the inescapable reality that critical IT systems aren’t as secure as we think they are.
But how much do we really care?
You might object to the premise of that question. You use anti-malware, anti-spam, and anti-virus software. Your firewall is tight. You’ve implemented two-factor authentication. Your organization has a mature change management process. You even know what version of Adobe Acrobat you are running. Of course you care about security.
Or is it compliance that you really care about? If that’s the case, then we have a problem. Being compliant certainly does not equal being secure. It’s a good place to start, but we must go way beyond compliance if we’re serious about IT security.
As a first step, consider that the world of security as it is understood today is founded on a cost-effective and convenient dismissal of basic security logic. To paraphrase Morpheus in the pivotal red pill/blue pill scene from ‘The Matrix’: the cybersecurity reality that you know is a world that blinds you to the truth.
In the Matrix, Neo is given a simple choice. He can take the blue pill and return to the Matrix, oblivious to the reality with which he lives;
or, he can take the red pill and learn the truth about his world.
So, ask yourself: do I want to take the blue pill or the red pill? Remember, Neo didn’t have ANY idea what was coming! See you next time.