Monthly Archives: January 2017

Complexity is the enemy of security

Larry Ponemon

We are pleased to present the findings of The Cost & Consequences of Security Complexity, sponsored by MobileIron. The purpose of this research is to understand the reasons behind the growing complexity of companies’ IT security architecture and how it is affecting their ability to respond to cyber threats. We surveyed 589 individuals involved in securing, overseeing and assessing the effectiveness of their organizations’ information systems or IT infrastructure.

While some complexity in an IT security architecture is expected in order to deal with the many threats facing organizations, too much complexity, as shown in this research, can impact the ability to respond to cyber threats. Participants in this research understand the negative impact IT security complexity has on their organizations’ security posture. In order to be able to protect their organizations from cyber threats, 68 percent of respondents believe it is essential (33 percent) or very important (35 percent) to reduce complexity within their IT security architecture.

According to respondents, employees’ access to cloud-based apps and data and use of mobile devices in the workplace are the biggest drivers of complexity. The growth in unstructured data is making it increasingly difficult to deal with cyber threats.

Complexity seems unstoppable. As shown in Figure 1, complexity is a growing problem. Fifty-eight percent of respondents say in the past two years the complexity of their organizations’ IT security architecture increased significantly (28 percent) or increased (30 percent) and 66 percent believe in the next two years complexity will increase.

Following are eight consequences of complexity.

  • Inability to integrate security technologies across different platforms.
  • Inability to ensure policies and governance practices are applied consistently across the enterprise.
  • Too many active endpoints.
  • Poor investments in overly complex security technologies that are difficult to operate and financial loss due to the scrapping of these complex technologies.
  • Inability to see vulnerabilities in the system.
  • Difficulty in communicating the organization’s security strategy and approach to deal with cyber threats to senior management.
  • Decline in productivity of IT security staff due to complexity.
  • Lack of accountability for IT security practices.

Part 2. Key findings

Here is a sampling of key findings: These will be explored in more detail during a webinar held on Jan. 17. Click here to register for the webinar.

Most IT security architectures are very complex. Sixty-seven percent of respondents say their organizations’ IT security architecture is very complex.

What are the consequences of complexity? Only 35 percent of respondents rate their ability to hire and retain qualified security personnel as high (7+ on a scale from 1 = no ability to 10 = strong ability). Also problematic is the ability to integrate security technologies across different platforms (only 29 percent rate their ability as high) or to ensure policies and governance practices are applied consistently across the enterprise (only 21 percent rate their ability as high).

Employees’ use of cloud-based apps and mobile devices is considered most responsible for IT security complexity.  Some 64 percent say it is access to cloud-based applications and data and 56 percent say it is the use of mobile devices (including BYOD and mobile apps) that increase the complexity of dealing with IT security risks. The rapid growth of unstructured data and constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing also increase complexity.

Investments in security technologies have contributed to complexity. In the survey, 61 percent of respondents say enabling security technologies have made it more complicated to deal with threats, and 72 percent say they have lost money on poor investment in enabling security technologies.

Current security architectures are overly complex. According to 71 percent of respondents, the complexity of their companies’ IT and IT security architecture makes it difficult to see vulnerabilities in the system and 51 percent of respondents say simplified policies and processes are needed to improve the ability to respond to a changing threat landscape.

Companies shelved or scrapped enabling security technologies because of complexity. Sixty-five percent of respondents say their company has had to frequently (27 percent) or sometimes (38 percent) scrap or shelve one or more enabling security technologies because they did not effectively moderate cyber threats or were too complex to operate. The primary reason for not deploying technologies purchased is that they were too complicated to operate (63 percent of respondents. Other reasons are the lack of in-house expertise to deploy and manage the technology (54 percent of respondents) and poor vendor support and service (48 percent of respondents).

Complexity makes it difficult to explain the approach taken to reduce IT security risks to senior management. Some 67 percent of respondents believe their company’s approach to dealing with cyber threats is too complex to explain to senior executives. Such difficulty in communicating IT security practices to senior management leads to difficulty in achieving goals and objectives set by senior management (49 percent of respondents). As a result, 62 percent of respondents say their company needs to simplify and streamline its security architecture.

Complexity affects the staffing of knowledgeable IT security professionals. As discussed previously, only 35 percent of respondents rate their companies’ ability to hire and retain qualified security personnel as high; 56 percent of respondents say they do not have the necessary expertise to deal with the complexity of their IT and IT security processes and 52 percent of respondents say their companies’ current IT security infrastructure is too complicated and, as a result, decreases the productivity of their IT security staff.

Ineffective IT security architectures are costly. Respondents estimate an average potential total cost exposure from IT security failures of $77 million. The most significant financial impact results from the organization’s response to information misuse or theft followed by costs associated with reputation and brand damage because of IT security failure.

To learn more about these findings, check out the webinar

Here's what millions of leaked passwords look like, and other scenes from inside The Glass Room

Bob Sullivan

It’s very hard to make privacy and security sexy. The folks at Mozilla and the Tactical Technology Collective have done just that this month with a clever art installation/ pop-up shop in lower Manhattan called “The Glass Room.”

The Glass Room aims to inform and challenge visitors by making them see and touch real-life representations of digital risks, the same way you might wander through an art gallery and ponder other life mysteries.

Visitors there are forced to look at an encyclopedia-style pile of books in which every password stolen from LinkedIn is printed. They are listed alphabetically, so every few minutes someone exclaims when they find their password printed in the volumes.


The point is really the sheer size of that hack…which was indeed quite a bit smaller than Yahoo’s hack announced this week.

Other works include a fitbit attached to a metronome, designed to fool the gadget’s supposed health predictive abilities; Where the F&^&* was I, a printed book showing all the places the artist had been during a year, according to the cloud; and a screen showing data on leaked by smartphones as people walk by outside.

Maya Indira Ganesh gave me a tour of the place

“It’s an art exhibition that’s trying to shine a light on what it means to live in the data society, ” she told me.  It’s also trying to scare folks a little bit.

Not all surveillance technology is bad, of course. The Glass House tells both sides of the story. Video monitors can help you check in on elderly family members, for example.  But you should always wonder: Who else is watching, and why?

Thankfully, The Glass Room includes a detox bar in the back, with Apple-store-like “ingeniuouses” there to help you fix the privacy settings on your gadgets.  They also offer an 8-day data detox kit, which I’ll be sharing in the future.

The Glass Room first popped-up in Germany before making its way to Manhattan this month.  The store closes this weekend, but you can browse the entire exhibit online.  And, better yet, you can watch the videos I’ve attached to this story.