Dan Geer: It's lonely in the middle -- but it doesn't have to be
A note from security luminary Dan Geer to those middling firms that are not yet resource-rich enough for how information-rich they already are.
By Dan Geer
January 21, 2013 — CSO —
For the middle class of companies, information protection is especially hard.
On the one hand, you now have information that is both a present corporate operational necessity and information that is what will build your future. The new and/or tiny firm may have intellectual property that is what their future is made of, but when a company is small the problem of protection is more straightforward because some one person still knows what it all is and where it all is.
[See also: Dan Geer: International man of mystery]
The Fortune 100 industry leader may have trade secrets that are likewise what their future is made of, but by virtue of their size they can buy protections sufficient to keep the protection problem and the apparatus to solve it inside the company.
For the middle-sized firm, keeping the protection problem inside the company is closer to intractable than it is for either the small firm or the large because the mid-range problem gets too big for one person to handle much before the mid-range firm can afford a full, in-house protection regime.
This note is written for those middling firms that are not yet resource-rich enough for how information-rich they already are.
This is a risk management problem. Because you want your information to be used (else why have it?), your information will be in motion. While there are security solutions to information-at-rest, information-at-rest that is not used is irrelevant to this discussion. (Take it offline if it is simply archival.) You need a solution for information-in-motion. It is worth repeating that you will still have your digital information even if someone else steals it -- unlike when your car is stolen. The Verizon Data Breach Investigations Report (DBIR) regularly reports that the majority of information theft is silent: the DBIR's number is that 80 percent of all information theft is discovered by an unrelated third party. The Index of Cyber Security (ICS) asked CISOs "Have you and/or your colleagues discovered an attack at another entity?" for which 55 percent said "Yes and confirmed" and another 10 percent said "Yes but unconfirmed." Information that is stolen is information-in-motion, just not a desirable motion.
The great strength of capitalism is the division of labor. We all do it every day. It can be a convenience, or a cost saver, or a matter of safety. As circumstances change, you may bring something in house that had been done for you by others, just as you may have others handle something for you that you may have been doing for yourself before. We think that information protection may well be something that, when you are small, you do for yourself out of necessity. When you are really big, you may do it for yourself out of some combination of discipline and cost. In between, the risk management question is "Is our skill up to the job?" Better to say "No" and find a solution than to hope that the bad guys just don't notice you.