Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Security Debt

Friday, April 4, 2014 - 14:32

Martin McKeay's presentation at Networkshop warned us of the risk of spiralling "security debt".

Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose "HDMoore's law", that the capabilities of the Metasploit tool now define a minimum acceptable baseline for technical security. Wendy Nather then suggested that this establishes the security "poverty line". Any organisation that cannot maintain its systems' security at or above this level - whether because of insufficient patching, technology, knowledge, manpower or willpower -  is unlikely to be living sustainably on the Internet: instead it is in security debt.

And, like financial debt, security debt grows at a compound rate. The more trivially-exploitable vulnerabilities there are, the more effort the organisation will spend cleaning up after incidents, the less effort will be available to remove vulnerabilities, and the more vulnerabilities there will be. As with financial debt there are a number of ways out of this downward spiral: most are unattractive but the history of IT includes examples of all of them. The organisation (or its staff, by finding other jobs and incidentally making the situation even worse) can declare security bankruptcy; the organisation can struggle on until its customers or suppliers decide it is no longer safe to work with; the organisation can spend more money, though this is unlikely to be enough as security debt isn't just about not having enough "blinky lights"; the organisation can change its way of operating to bring it up towards the poverty line, and it can be innovative in how it thinks about, and does, security to reduce or eliminate the deficit.

Clearly these last two options, probably in combination, are the best option for an organisation that wants to escape the vicious spiral and get back to a sustainable position. And, as Rodrigo Bijou commented via Twitter, viewing security as something that contributes to the organisation's products, rather than just its compliance process, can bring benefits to the organisation and a much greater sense of achievement to all those involved in security. Indeed once you are in security profit, it strikes me that that may have a compounding effect too!

security
#nws42
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo