Some of you will remember the 1970s film Marathon Man which starred Dustin Hoffman. The most famous scene involves him being asked over and over ‘is it safe?’, not having a clue what his interrogators are after his answers range from exclaiming: he doesn’t know what they are talking about to a series of positive and negative confirmations. All along he is being tortured through dentistry.

If you are involved in information security, privacy, and/or, compliance, you will no doubt have been involved in evaluating the security, privacy, and compliance of software. Sometimes called a risk assessment and/or privacy impact assessment, hopefully taking a risk-based perspective in the context of the ask. The merry dance of trying to discover if the software is secure from a whole host of angles, whilst the requestor is waiting agitated in the wings proclaiming that ‘big company acme already uses this, surely it is fine…’. A kind of torture where the people you are asking the questions are not always 100% sure they know or want to share the answers, or the questions.

This is only getting harder, as software increasingly uses AI (well, machine learning, well, algorithms) and the speed of adoption is increasing. Bear in mind people expect a SaaS (Software as a Service) solution to be spun up in days and even hours. Or, a new software app to be developed in quick order to follow a marketing campaign timeline. And so on. And why not chuck in for good measure increased scrutiny around compliance and the law, especially so in financial and healthcare, which reflects in tougher contractual obligations.

There is a kind of value in inefficiency here, just like the law. In a way the slowing down of a project creates an opportunity to think. Scary to think, for me anyway, that to fix this people are seriously implementing AI law software to replace judges.

Healthcare is waking up to the fact that we are more than a body and equal attention is being paid to mental health issues, at least it appears so. The scene in Marathon Man is equally psychologically and physically disturbing. Likewise, I think we should be asking not only if the physical devices we use will not harm us physically, but that the software we use will not harm us mentally.

I wonder if we looked at all this a different way and just said ‘is it safe?’ and nothing further. One question. I had a go at what ‘Is it safe?’ means: the software itself and its surrounding support network is technically secure so a flaw within it cannot unreasonably increase the risk to you physically or mentally. Not quite right, but a start. When you think that using Twitter could end up with someone in the background using a tool called ‘Creepy’ to track your movements, based on your tweets as you travel, would a company like them say ‘yes, it is safe’?

Of course, we all know nothing is 100% secure, or safe, but next time you are evaluating the security of a system, just ask ‘is it safe?’ and see what response you get.

Comments

Post a Comment

Popular posts from this blog

Bad things happen - about going without

Image
If you plot out the timeline of your life, have bad things happened and are they likely to happen in the future? I am going to guess yes to both of these, unless you are Mary Poppins. W hy then do you get angry, disappointed, annoyed, when bad things happen? They will happen. Here is a scientific diagram that proves it!: 'Our anger and annoyance are more detrimental to us than the things themselves which anger or annoy us' - Marcus Aurelius All this in mind, what is the worst thing that can happen to you? Your toast falls face down Your credit card details get hacked Someone says something bad about you on Twitter Losing your job (bit careless) Injury Death Immortality But don't worry. The obsession right now is to protect people from all these things, to have insurance, credit card fraud cover, class actions, the crowd that stands against offense, and the ongoing halting of inevitable death (the 'fight' against death). I would argue immortal...
Read more

The end of them

I woke up early on Saturday morning, to shouting. My son, Alex, had electrocuted himself after consulting with Alexy. The recruiting process at our firm had to be accelerated, the CEO was pushing growth, growth, growth. So my mind was on other things - we needed help. My son seemed ok, so I wrote my idea down on how we could accelerate growth, starting with using outside recruitment agency StarHire. My friend, James, knew the CTO well, they seemed good. Email sent. Only two weeks later, Alf joined our development team along with 41 other recruits, wow, StarHire, and now me, really were stars! The direct access to our recruiting system paid dividends. Not enough disk space... damn... Alf cursed. Time for a clean up. The first we knew was when our daughter called to say her boyfriend, Petey, was no longer with us. Something about something falling from the sky!? Then the news reports started coming in, people injured and dying from something falling from the sky, described as very severe...
Read more

Assets - knowing where your stuff is at

Image
This is the Tower of London. I was recently passing and took a snap, but pondered "why is it surrounded by so much security?"... Well, presumably because it contains the "crown jewels", somebody has assessed the risks and put in the appropriate controls to try and stop something bad happening. Too many times I hear and read about controls, buying this and that to stop this and that. But, not much time is spent on the thing you are trying to protect, the asset. And, where that asset is, who can (needs to) access it, why you need it, how long you need to keep it, and whether it moves around. I suspect with the new General Data Protection Regulation (GDPR) you are going to be forced to answer these questions. Even if you are not in the European Union (EU). The case for the Tower of London is relatively simple as it involves a physical asset, but when you are considering electronic information it is less simple to just know where it is. Consider one email wit...
Read more