I was going to do a spooooky Halloween-themed post last Friday, with all the monsters and bogey-men of IT security, and some tortured analogy bringing them together at the end of the post. Instead, let’s have a serious conversation at what I think is one of the biggest problems in IT security right now.
Much like with the way that Halloween takes the bite out of scariness, I worry that constant alerts about security might actually lead to alert fatigue on the part of IT professionals.
Another Security Breach? Yawn.
October was National Cyber Security Awareness Month. Some would say that the constant drumbeat of security breaches in the news validates the need for this sort of reminder, but there is definitely a risk of the industry crying wolf once too often. My US colleagues seem to take it for granted that their credit card data will be stolen at least once a year, and that this is no big deal.
I’m based in Europe, so both aspects of that situation are mildly shocking to me. I use my cards all the time, but thanks to Chip&PIN (and basic security awareness, such as refusing to provide the numbers in plaintext email) I have never had them cloned, touch wood. Also in Europe there is far less consumer protection, so if cards were getting hacked at the rate they appear to be in the US based on my unscientific sample, there would be a revolt against credit cards. In much of (continental) Europe it is still strange to use cards for anything below €50 or even €100, and while that mindset is changing slowly, any major security panic would be sure to roll back that acceptance.
It is the blasé attitude of my US colleagues that is most shocking to me – but to them, it makes perfect sense. If your data were already stolen twice this year and nothing bad happened, the third time is an annoyance, not a panic.
We vendors are part of the problem. I have seen pitches like “Three Things Ebola Teaches Us About Security!”. Yes, Ebola. Really. We can’t blame users for being turned off by security if we are all screaming at them through megaphones.
Alert fatigue is a real issue in more fields than ours. In the healthcare industry it is enough of an issue that it is actually being examined scientifically, both from the point of view of the medical professionals and of their patients/customers. We see the same thing in IT: if the entire dashboard lights up red, how do you even start? Never mind that an unknown number of those red alerts actually fall under the various headings of “don’t worry, Alice and Bob are dealing with that one”, “they all do that, sir”, and “yeah, we know about that one, but we can’t fix it because it would break something else”.
All too often, IT security is treated like firefighting – complete with people running about, screams, destruction, and a huge mess to clean up afterwards. This approach can work if the events it addresses are few and fare between, but security problems are frequent. Worse than that, IT teams rarely have time to make sure one fire has been put out completely before getting hauled off to put out a new flame, so the old one keeps smouldering and flares up again later.
Stop fighting fires
Let’s look at a new way of addressing the problem. Let’s get everyone to sit down together: auditors, security pros, sysadmins, and – last but not least – the users themselves, whose needs we are all supposed to be serving. Let’s see if we can’t figure out a way for everyone to get what they need.
There is no one-size-fits-all solution, but we think we have assembled a pretty good toolkit to build solutions to suit each individual situation. Importantly, that is not going be a 100% BMC toolkit. We are working with other vendors so that we can all build on each other’s strengths and make our users that much more successful.
Stand by for more information on partnerships. In the meantime, I talked about this topic with Renee Murphy, senior analyst at Forrester, and you can review our conversation here. You can also find the latest information on BMC’s Intelligent Compliance recommendations at bmc.com/compliance.