• United States




IT security’s reality distortion field

Aug 29, 20163 mins
Network SecuritySecurity

Organizations need to create a 'Secure Breach' environment to safeguard data

Credit: Thinkstock

Despite increasing data breaches (a whopping 4.7 billion data records worldwide being lost or stolen since 2013) and mounting regulatory and customer pressures around data protection, IT decision makers worldwide continue to ignore reality and rely on the same breach prevention strategies when it comes to protecting customer data and information. Today’s IT security professional clearly has a “reality distortion field” when it comes to the effectiveness of perimeter security.

According to a recent survey of IT decision makers worldwide, one-third of organizations experienced a data breach in the past 12 months. Yet, while 86 percent of organizations have increased perimeter security spending, 69 percent are not confident their data would be secure if perimeter defenses were breached. This is up from 66 percent in 2015 and 59 percent in 2014. Furthermore, 66 percent believe unauthorized users can access their network, and nearly two in five (16 percent) said unauthorized users could access their entire network.

Reality distortion field is a term used to describe the belief that wanting and willing something—even the near-impossible—can make it happen. The term found its inspiration in a two-part episode of Star Trek that aired in 1966, where inhabitants of the planet Talos are able to create new worlds and thoughts in the minds of other people.

According to pop culture legend, Bud Tribble, a software developer on the original Macintosh computer, used the term to describe Steve Jobs, noting, “In [Jobs’s] presence, reality is malleable. He can convince anyone of practically anything. It wears off when he’s not around, but it makes it hard to have realistic schedules.” Charismatic SpaceX and Tesla CEO Elon Musk has also been described as having a reality distortion field.

Spending on perimeter security increases, but effectiveness does not

Jobs and Musk’s contributions to technology advancement are legend because of their ability to push people past their own perceptions of reality. However, a reality distortion field has overtaken today’s data security mindset when it comes to the effectiveness of perimeter security. IT budgets summarize today’s reality in security: perimeter security is consuming an ever-larger share of total IT security spending, but security effectiveness against the data-breach epidemic is not improving at all. Organizations are not investing in security based on reality as it is; they’re investing based on reality as they want it to be. The problem and the solution to the problem just don’t match up.

To be clear, organizations should not stop investing in key breach prevention tools. However, we need to be able to see through cybersecurity’s reality distortion field and place our bets on strategies that align to the problems we face today.  

Look at it this way: If it’s impossible to keep intruders out of the network, the logical approach is to build security around the assumption that they are already on the inside. When you do this, you focus on what matters: securing your data.

It then becomes clear that you need to move your security controls as close as possible to the data so attackers can’t use it, even if they have breached the perimeter. In effect, you need to create a “Secure Breach” environment.

Technical specifications will vary depending on IT infrastructure, but with this blog, I hope to highlight the questions organizations need to ask to adjust their security strategies appropriately and how they can realign their investments and tactics to better emphasize data security. Watch this space!


As a former ethical hacker with decades of experience in the information security industry, Jason Hart has used his knowledge and expertise to create technologies that ensure organizations stay one step ahead of the risks presented by ongoing advances of cyberthreats. He is currently CTO for data protection at Gemalto, where he is responsible for developing the company's encryption and crypto management offerings.

Hart has published numerous articles and white papers, and he often appears as an expert adviser on cybersecurity issues on national TV -- on BBC, CNN and CNBC, among other major news networks -- and on radio and in print media. In addition, he regularly provides advice on information security matters to governments, law enforcement agencies and military organizations, and he is vice chairman of E-Crime Wales.

The opinions expressed in this blog are those of Jason Hart and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.