Aldous Huxley once said, “That men do not learn very much from the lessons of history is the most important of all the lessons that history has to teach.”
So what lessons can we learn from the past few decades of exploding technology innovation? Can our brief history in cyberspace teach us anything about future cybersecurity challenges?
Let’s examine three time periods. First, the way we were (pre-9/11). Second, the way we are (from 9/11 to present). And finally, the way we will be (from 2015 until 2020).
Starting my career in the mid-1980s at the NSA was a foundational experience. After extensive background checks, all new employees were trained and tested on key national defense concepts. From the history of encryption to the importance of every relationship to the motto that “security is our middle name,” the NSA imparted a culture of security that still affects my thoughts and actions.
But moving to Michigan state government to lead Y2K remediation efforts in the late ’90s revealed a dramatically different work culture. On my first day I noticed there were no guards in buildings, badges were rarely worn and security seemed nonexistent. However, there were signs imploring women to “watch your purses.” I discovered that people were regularly walking in off the street and stealing purses from cubicles.
Yes, I tried to boldly wave security warning flags. Nevertheless, my proclamations were largely in vain. I was mocked. “We’re not the NSA now, are we?” was the typical response. Eventually, I evolved and moved on from Y2K to e-government and building the first Michigan.gov portal.
Almost everyone can remember where they were on Sept. 11, 2011. After 9/11, our culture dramatically changed. For me, guards, badges and respect for security were back. I became Michigan’s first chief information security officer in May 2002 with the mission to secure essential systems. Our enterprise security team made big strides in better information security. But a tough lesson and another security pendulum swing was coming.
In 2003-2004, deploying wireless networks was hot. Government IT executives were eager to offer wireless Internet access in conference rooms, but I was against it. Armed with white papers from three-letter agencies in D.C. and scary headlines describing “war driving” with breaches, I declared, “No wireless!”
And I was almost fired. My boss at the time was Teri Takai, who was later CIO of California and the U.S. Defense Department. She said, “If Dow Chemical, Ford, Chrysler and GM can do wireless, so can we. Get me a secure solution if you want to be Michigan’s CISO.”
I was humbled that day, but learned a key lesson: Security teams must enable the business to exist. We must get to yes. Our goal became to offer secure options to technology deployments. As cloud computing, mobile apps, social media and big data projects were rolled out, we changed our implementation approach.
So where are we heading? Will there be another big incident? The next five years promise to bring: the Internet of Things with IP-addressable clothes, cars, medical devices, etc.; constant surveillance that challenges privacy in an open society; redefining identity management; more breaches, as well as your reputation, health and safety put at risk; and the need for security teams to be resilient and ready to recover quickly to keep up.
Will security teams be enablers? Will we get in at the ground floor of new technologies?
As we look back, what lessons traverse time? Seven takeaways:
A final thought: Start learning from history by examining your own personal career journey.