Despite increasing data breaches (a whopping 4.7 billion data records worldwide being lost or stolen since 2013) and mounting regulatory and customer pressures around data protection, IT decision makers worldwide continue to ignore reality and rely on the same breach prevention strategies when it comes to protecting customer data and information. Today’s IT security professional clearly has a “reality distortion field” when it comes to the effectiveness of perimeter security.
According to a recent survey of IT decision makers worldwide, one-third of organizations experienced a data breach in the past 12 months. Yet, while 86 percent of organizations have increased perimeter security spending, 69 percent are not confident their data would be secure if perimeter defenses were breached. This is up from 66 percent in 2015 and 59 percent in 2014. Furthermore, 66 percent believe unauthorized users can access their network, and nearly two in five (16 percent) said unauthorized users could access their entire network.
Reality distortion field is a term used to describe the belief that wanting and willing something—even the near-impossible—can make it happen. The term found its inspiration in a two-part episode of Star Trek that aired in 1966, where inhabitants of the planet Talos are able to create new worlds and thoughts in the minds of other people.
According to pop culture legend, Bud Tribble, a software developer on the original Macintosh computer, used the term to describe Steve Jobs, noting, “In [Jobs’s] presence, reality is malleable. He can convince anyone of practically anything. It wears off when he’s not around, but it makes it hard to have realistic schedules.” Charismatic SpaceX and Tesla CEO Elon Musk has also been described as having a reality distortion field.
Jobs and Musk’s contributions to technology advancement are legend because of their ability to push people past their own perceptions of reality. However, a reality distortion field has overtaken today’s data security mindset when it comes to the effectiveness of perimeter security. IT budgets summarize today’s reality in security: perimeter security is consuming an ever-larger share of total IT security spending, but security effectiveness against the data-breach epidemic is not improving at all. Organizations are not investing in security based on reality as it is; they’re investing based on reality as they want it to be. The problem and the solution to the problem just don’t match up.
To be clear, organizations should not stop investing in key breach prevention tools. However, we need to be able to see through cybersecurity’s reality distortion field and place our bets on strategies that align to the problems we face today.
Look at it this way: If it’s impossible to keep intruders out of the network, the logical approach is to build security around the assumption that they are already on the inside. When you do this, you focus on what matters: securing your data.
It then becomes clear that you need to move your security controls as close as possible to the data so attackers can’t use it, even if they have breached the perimeter. In effect, you need to create a “Secure Breach” environment.
Technical specifications will vary depending on IT infrastructure, but with this blog, I hope to highlight the questions organizations need to ask to adjust their security strategies appropriately and how they can realign their investments and tactics to better emphasize data security. Watch this space!
( This post was also published on Network World).