Uncertainty can take many forms in our environment. This provides for a biodiversity in the natural environment. There is no singularity with this aspect of uncertainty in our busy work lives. With info sec, this can be narrowed down a bit. There can be newly found vulnerabilities. The QA area can spend an immense amount of time testing for vulnerabilities with many staff members. There can still be vulnerabilities with coding oversights. No one has perfect coding skills. There may also be old vulnerabilities that are recently published. Although this is not common, this option is still viable. The app or program could have poor coding. Evidence of this is readily available with the preponderance being with SQL injection attacks that still work and prove to be profitable for the attacker(s). There may also be the insider threat, intentional and unintentional. The intentional may be from the disgruntled employee that just provided his two week notice or is intensely irritated with his boss and lack of substantial raise. The unintentional avenue includes the hapless employee that still clicks on the kitten picture or believes that UPS has a delivery for him and 20 others, all on the same email with the same identification number.
Try as we may, the C-level will not be able to fully plan for every single potential issue. There will always be the algorithm in the environment that you can’t plan for. The Info Sec group certainly will work diligently and could spend an immense amount of money, however the best we can plan for is to mitigate this to an acceptable level given the business environment in its entirety.
A recent podcast was somewhat related to this (Murphy, 2016). The podcast guest, Jack Freund, stated we should become comfortable with uncertainty. Certainty is stagnant, does not create new ideas, follows the same status quo, does not deviate from the script, and produces no creativity. The only constant is change. Uncertainty is the alternative, creating new methods and theories for Info Sec, creating new manners of searching for issues, and increases the planning to mitigate the potential risks.
A certain level of uncertainty is a benefit for the industry and overall Info Sec community. This comfort with uncertainty allows us to be able to react to situations that are not on the script of life or in the policy that has been sitting on the shelf collecting dust since it was updated last year. The variability provided for a much more prepared staff and security team.
Learn more about protecting yourself and your business at the National Cybersecurity Institute.
Murphy, B. (Producer). (2016, May 20). Bill Murphy’s Red Zone [Audio podcast]. Retrieved from http://itunes.apple.com
Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.