What do you think this is?

Just thoughts of a restless mind...

Diligence: the new cybergame

Significant changes are coming to the cyber security and data privacy landscape. I would consider these to be potentially game changers as they may alter the way organizations address their security posture and preparations.

But I think it's easier to explain through a similar story:

A school boy does not study enough. Of course, that is not important as long as he stays in the class, he is quite, does not provoke the teachers and does not attract their attention. He is also somehow lucky and gets asked questions that are easy, he can figure-out the answer somehow, or he can mumble enough words that would get him a passing grade.

One day he is asked to solve a problem and he fails. Miserably! Then he gets a really bad grade in this subject; he is still ok with the other grades though and the average is not affected significantly. We probably agree that, at this point, it is the parents' responsibility to discipline him further; the aim being him to start studying more. But as the school environment is only aware of this one day of bad performance, and since the grades are adequate or generally acceptable, neither the parents get too harsh about it nor the boy gets too serious. There is no penalty for not studying, only for not performing. The question is, does he or his parents understand the potential consequences if he runs out of lack?

due diligence refers to "Reasonable steps taken by a person to avoid committing a tort or offence"

History shows that most people (and organizations for what it's worth) do not. So the boy of our story changes his habits just a tiny little. He studies a little bit more maybe, or gets slightly better prepared when the examination period approaches.

How would the boy react though, if the teacher did some background investigation? What we, information security professionals, call "root cause analysis"?

Why did the boy under-perform? Was he adequately prepared? Let's assume that the teacher finds out that the boy was not studying. Would things change if, having that knowledge, the teacher would take ALL his grades down? As a penalty for not being diligent?

That is what starts developing in the cyber security / data privacy world. We have heard of penalties for leak of private data, but the penalties tend to get higher, as the suffering organization does not prove due diligence.

I believe that due diligence is coming into the cyber security and data privacy landscape like a storm

The case of Talk Talk is clear: The company gets a (comparatively) severe penalty, and the penalty is so severe because the company was not adequately prepared. The wording in the new EU General Data Protection Regulation, the infamous GDPR, is also clear: References to "state of the art" and "encryption" do not directly mandate the use of either, but give the regulators enough power to establish the lack of diligence and subsequently raise the penalties to the incredible numbers considered (up to 4% of global revenue). So it's not about being fined for losing data any more, it's about being fined for not been prepared and not protecting the data adequately!

I cannot help but wonder what is next. There are lines between (a) performing a crime, (b) failing to defend, and (c) failing so obviously that you actually facilitated the crime. I think these lines are fading and getting quite fuzzy with such an approach.

As an Information Security Professional I have mixed feelings about that. Diligence is a good think, and I would like to see organizations getting more responsible. After all, high profile attacks are in the news every other day, proving that nobody is immune. Hence, we should do our best to make the intruder's life difficult and minimize the impact.

I am afraid though that it is not going to develop like that; fines will just get heftier but organizations will keep having the "it won't happen to me" mentality. Has financial regulation even changed anything or we should expect board-level accountability to come into place, not unlike SOX, for organizations to take Information Security seriously?

What are your thoughts about this?