As part of my efforts to stay educated, I try to allot some time each day to peruse my Twitter feed, blog feed, and other such sources. Some days are more informative than others, but in general, I have noticed something quite concerning of late. We as a security community tend to suffer from tunnel vision. What do I mean by this? Allow me to explain.
Wikipedia defines tunnel vision as “the loss of peripheral vision with retention of central vision, resulting in a constricted circular tunnel-like field of vision.” In other words, we can see that which is in front of us – in the direction we have oriented ourselves, but we cannot see anything on the periphery. This definition is obviously in reference to a serious and unfortunate physical ailment that some people suffer from. Nonetheless, I believe that we can take the physiological concept of tunnel vision and learn an information security lesson from it.
Tunnel vision poses a significant risk to an organization’s security posture, and indeed to the security profession as a whole. The risks of tunnel vision are summed up quite nicely in a Forbes piece entitled “15 Ways to Identify Bad Leaders”:
Leaders without vision will fail. Leaders who lack vision cannot inspire teams, motivate performance, or create sustainable value. Poor vision, tunnel vision, vision that is fickle, or a non-existent vision will cause leaders to fail. A leader’s job is to align the organization around a clear and achievable vision. This cannot occur when the blind lead the blind.
This point is further illustrated in an FT piece entitled “Look out for the tunnel vision trap”, which offers the following point when discussing vision-related risks:
One is the “tunnel-vision trap”, which occurs when managers fixate on a single vision of the long-term future that distracts them from an emerging situation in the present. This risk is particularly acute in rapidly changing environments, including emerging markets (such as China, India and Brazil), technology intensive industries (for example, medical devices or software) and areas where different industries are converging (such as information technology, entertainment, telecommunications and consumer electronics).
Life is full of distractions, and the information security profession is not immune to them. We as security professionals have an obligation to remain focused on building, maturing, and improving our security programs and security postures. This necessitates a holistic vision focused on mitigating the risks and threats to the whole of the organization. This, by definition, is contrary to a vision fixated on a specific issue. That type of vision would be a textbook case of tunnel vision.
There will always be scandals that will surface, fads that will come and go, and buzzwords that will abound. As information security professionals, our professional duty is to stay focused holistically across all of our duties and not to get distracted or spend an inordinate amount of time chasing shiny objects.
Along these lines, I’d like to discuss two specific topics.
Over the past two years, I have seen an almost obsessive focus on surveillance and encryption. I’m not saying that privacy isn’t an issue (it is) and that privacy concerns aren’t legitimate (they are). Rather, what I’m saying is that, off the top of my head, I can think of quite a number of other threats to both large organizations and private citizens alike. Unfortunately, I don’t see much discussion on any of them. Rather, it seems that we as a community have succumbed to tunnel vision, to the detriment of all of the other topics for discussion.
Similarly, the Internet of Things (IoT) seems to be quite the buzz in 2015. I hear a lot of hype about the security ramifications that IoT brings with it, but what I don’t hear is a lot of substantive discussion on what we as a community will do about it. How do we intend to embrace network-connected devices of all different types, and how will we adapt our existing security programs to bring those devices into the fold? What specific risks and threats do these devices pose to our organizations? How will we go about mitigating those risks and threats? How will we collect the requisite telemetry data? These are just a few of the many questions that will need to be addressed through a substantive discussion.
I advise organizations to resist the temptation to run with the herd. If we take a step back and look at the big picture, organizations are still being compromised via attack vectors we’ve known for quite some time. For example, the overwhelming majority of breaches and intrusions still occur via social engineering and watering hole attacks — two very common attack vectors that we as a community still struggle with. True, the specific technologies involved evolve and change (e.g., email, SMS, chat applications, etc.), but the overall strategy of the attackers remains much the same. Compromise the weakest link. Exploit the human. I am not convinced that my Internet connected toaster really changes the game all that much.
A deliberate and strategic approach to security is still the reigning king. Managing, mitigating, and minimizing risk is still the best approach for building, maturing, and improving a security program. Granted, certain specifics will evolve and change over time, but the overarching principles and foundational tenets will not.
Education, discourse, and collaboration on a number of different topics simultaneously have always been how we as a community make progress. If we focus entirely on one topic and elevate it to dominate every conversation, we cannot attend to the other, equally deserving topics. It’s easy to follow the herd mentality and jump on the bandwagon, but it comes at a great cost to our communal progress. I am concerned that the issues we have pushed aside in order to follow the herd may remain unsolved.
I’m sure that there are those in the community who will agree with my concern. The question becomes one of whether or not we can gain enough attention for the other topics we are concerned about and interested in discussing. Time will tell. There is certainly no shortage of bright, shiny objects to distract people, unfortunately.