Why hacking leads to less security respect

If security and risk management continue to be marketed as tools that aren't necessarily complementary to an organization’s strategy, they will continue to be seen as outsiders.

Hacking

One of the biggest trends, emphasized especially by motivational videos and social media, has been hacking, which is where you use tips or techniques because popular viral personalities use them to build an advantage.  Usually they come with catchy lines such as “Increase your sales 35% now with this unique technique” or “stop all security threats with one magic product!” This has nothing to do with the technical definition of it, which has nothing to do with computer intrusions, and everything to do with exploring the limits of technology and going beyond them.

This is a business issue that has wide-ranging impact with security, because the way in which security is marketed and sold is based on products, not actual needed risk mitigation.  The failure to realize the organizational structures and relationships that business is based upon leads to the marginalization of security as yet another product that doesn’t add value.

What is arbitrage?

Arbitrage is the method by which most of our businesses make money.  According to Google, it is the simultaneous buying and selling of securities, currency, or commodities in different markets or forms to take advantage of differing prices for the same product or asset.  It is the ultimate driver of our economy.  When people look for shortcuts or hacks, they are looking to use arbitrage to their advantage.  Even banks, which are based on Fractional Reserve banking, which is where they lend out depositors’ money at a higher interest rate than they pay in interest to them, uses a form of it.

People keep familiar, and sometimes old and inefficient systems in place because they make money for the involved parties through arbitrage.  While these systems, such as the stock market, may seem antiquated and ripe for disruption by outsiders, they are the physical implementation of Interlocking Directorates. 

Interlocking directorates, indirect interlocks and clan control

Interlocking directorates are formed when one executive/board member sits on the boards of one or more companies.  The relationships formed between companies that share board members.  Direct Interlocks, where competitors share board members, are illegal in the US according to the Clayton Act, however they do exist elsewhere.  Indirect interlocks, where there are board members that sit on boards of multiple companies, and have friends or colleagues that do the same, creates a series of relationships and the potential for influencing multiple companies.  This does have a downstream effect and provides incentive for keeping systems in place that enforce arbitrage to the benefit of board members and investors.  Outside the US, where there are much less rules, this becomes much more obvious.

Technologies such as cryptocurrency or Distributed Ledger Technology (DLT) implementations that purport to disrupt existing systems and provide hacks to the existing system aren’t going to work without somehow plugging into the existing Interlocking Directorates and providing benefit to their members.  They will work if people establish their own systems, including Indirect Interlocks, where ones did not exist before in white spaces where solutions do not exist.  These are excellent technologies that provide very real value in multiple dimensions.  However, when they are presented to organizations as being disruptive and not supportive, the presentation puts a dark cloud over the very real benefits.

Clan Control, which is where the behaviors, values, beliefs, and actions of an organization strongly resemble a family dynamic, is the most similar analogue to how Interlocking Directorates operate.  There are a lot of unspoken rules and processes that need to be followed, and the members support each other.  These are families, and you need to understand that even though these people may have their differences, they have mutual respect, admiration, and relationships, and they are as close to one as you will get in the business world.  In the US and other countries, you normally don’t make the executive level at large companies without the help or sponsorship of others.

The consequences of hacking

Disrupting or attempting to hack indirect interlocks means that you are taking the wrong approach and will backfire.  Learning the needs of the members, respecting the existing relationships and people, and presenting solutions that improve the ecosystem as a whole is the correct approach.  There are years of relationships, processes, and people that you need to understand before you are able to present effective change.  You won’t learn that from watching a motivational video on LinkedIn.  You will learn that by working with people and putting the effort in to learn how to work with others to help them improve, not disrupt, and continually demonstrating that.  Even technologies and processes perceived to be disruptive, such as smartphones, Grameen Bank, PayPal, crowdfunding and Distributed Ledger Technologies, end up being complementary to the existing systems and processes in place in the end and contribute to overall improvement.  The jury is still out on social media, however.

Effects on security

An example of this is with security products.  There are a number of products out there being sold as silver bullets to address security issues.  The current marketing approach with them has been to market to customers that they don’t need to do anything but put in a product and address their privacy and security needs.  Every year there are new products from new startups that purport to fix the issues of the previous ones.  The sales teams often tout the value of ripping out existing systems and replacing them because of some new angle that the new products have.  This directly comes in conflict with the fact that most companies have limited resources, and this approach keeps them on a constant hamster wheel.

Another example is with security consulting.  There are a number of security companies that will offer to provide consulting services to customers, including risk assessments and plan development.  One of the major issues is that these consultants, while they will provide end products that appear to meet customer needs on the surface, provide services that don’t really meet them, and end up giving the customer just a deliverable.  Security is a process, and the eventual goal is to establish risk management as part of business, not as something you buy to meet requirements. 

With the emphases on distributed technologies such as DLT, cloud computing, and data interchange, security and risk management are more critical than ever.  As long as they are being marketed as not complementary to an organization’s strategy, and not part of overall organizational improvement respectful of the structures, relationships, and people, they will continue to be seen as outsiders.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.