It seems to me that everything I knew in my youth
to be true has been overturned, refuted, disavowed
1 I have taken some of this rather hard,
especially the news about Santa Claus. On the
other hand, the process of learning to see the world
in a different way has been a constant source of
intellectual excitement my entire life. In information
security, I have seen a vast revolution, from the days
of “It cannot be done” to today’s “It must be done.”
My enthusiasm about our profession has not only
not abated, but it has increased enormously in the
years—still just a few years—that the reality of the
threat of cyberattacks has been recognized.
There were certain tenets that I absorbed as I
learned my craft:
• Information resources are to be used by those
authorized to do so.
• Encryption is the most effective way to protect
information from misuse.
• Authenticated identity is the basis for access
These and many other verities are part of the tribal
wisdom of the InfoSec clan; who am I to challenge
them? Yet, since governments, criminal gangs
and terrorists have taken to attacking the security
of information systems, targeting individuals,
corporations and governments, I have been forced
to consider revising, if not abandoning, all that I have
known to be true.
Is authorized use an immutable principle? This is a
subject of hot dispute between the EU and the US.
The European Court of Justice ruled in October 2015
that information owned by citizens in the EU was not
safe from the unauthorized, prying eyes of security
organizations in the US, especially the US National
Security Agency (NSA). While the NSA has not
officially said so, it would seem that its leaders feel
that safety from terrorism overrides concerns about
authorized use. Without expressing my opinion
on the matter, I believe that information security
professionals need either to relinquish the principle
that only authorized use is permissible or defend it. It
is no longer an unchallengeable truth.
Much the same can be said about encryption. Is it
a truly effective means of security if the bad guys
can use it to subvert security itself? Many police
agencies think it is not, while many in the information
security field reject the argument for providing “back
doors” to encryption schemes. I happen to think that
back doors make it easier for crooks to outsmart
the cops, but still the point of view of the US Federal
Bureau of Investigation (FBI) and the intelligence
community cannot just be dismissed out of hand.
Access rights and privileges are accorded to
individuals, presumably based on their job
requirements. Increasingly, cyberattacks are being
perpetrated not by the intrusion of malware, but by
theft and misuse of the credentials of authorized
users, especially those with privileged access.
As noted by the US Federal Financial Institutions
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.
Steven J. Ross, CISA, CISSP, MBCP
Is executive principal of Risk Masters International LLC. Ross has been
writing one of the Journal’s most popular columns since 1998. He can be