What’s the Cost of Encryption in England? A Big Mac Index for Security
After all the buzz and blimey out of London Tech Week and Interop London 2015, I was ready for a Big Mac. Typical American, right! The Big Mac I’m thinking of is more related to economics than any McDonald’s pink slime concoction.
Before more fast food puns, a little background in order. For many of the security pros I talked with at Interop – some after a fun presentation on IoT and encryption with 451’s Eric Hanselman – there has been a shift between compliance and security. Until last year, meeting compliance was the main driver for many CISOs and security architects. Holes in compliance left a bunch of companies fleeced and wondering what the hell they were building in the first place. In London last week, there was a general understanding that you start with protection of information and users, then make sure you’ve covered compliance once everything is working. Could it be, by lowering the bar, compliance measures have contributed to a set of expectations so lousy that they have scared many organizations toward much, much better data protection? The cost here from failing an audit or regulatory benchmark seems to be turning from fear of a fine to fear of, well, everyone, from customers to shareholders.
The thousands of geeks buzzing around London Tech Week also served to extend the public debate on encryption going on in the U.K. With their own surveillance cross to bear, the British government seems to go a step further in its public dialogue on banning or outlawing the use of encryption. Nevermind the fact that encryption couldn’t be fully removed. (Open source, anyone?) Wouldn’t the cost of such a measure be absolutely staggering? Cracking open or handing out keys from data in London’s financial centers alone could spell security disasters, to say nothing of the intertwined global economy. What is the fiscal damage from damning real uses for perceived threats? I’m tempted to invite U.K. leaders to ban encryption, just for the immediate pain point it would create.
In terms of cost of having security in place, businesses remain without a great, unifying, agreeable measuring stick. Without this type of gauge for each of the security tools which do and could boost a company’s data protection program, much of the planning ends struggles between breach/leak impact reports after the fact and some mystery price tag for missing or poorly used security. As an insurance mechanism, security has proven to be too vague or, in the hands of stern CISOs, a new “Department of No.” As a pricy patch reliant on incidents as the notification for bad systems and data practices, you have a security plan that is downright offensive. No one knows what to anticipate from either the outcome of the illness or the cost of the cure. (There was also an echo over security metrics earlier in June from Cory Doctorow and others at Gartner’s big security shebang outside of Washington, D.C.)
I’m not expecting security vendors or CISOs to spill the beans on their pricing charts. You could run yourself and your CFO ragged by gobbling up every security option under the sun. What would help more is a realistic, unifying metric on security across the board, like the classic “Big Mac Index.” This metric would take into account what works – hello, encryption! – and what can’t be taken for granted or stripped away. What would you attribute as a “cost” of using security, rather than screwing it up? I’d definitely like to hear suggestions. Once we’re speaking apples to apples and Big Macs to Big Macs, everyone working to protect the world’s data can more easily see how to pick from health food and a fast food fix.