That is to Say, There Are Things That We Know We Don't Know

Guest Blogger: Nick Prescot 
Senior Information Security Manager

I am sure that we all know who the guy in the picture, he's Donald Rumsfeld and whilst he is/was a distinguished U.S. politician he is perhaps best known for a slightly odd quote made in 2002 when asked about the government of Iraq/terrorist groups/ evidence of WMD. I'm not in the business of holding the suspense any longer and this is what he said,

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”

And in the parallel universe of cyber security 10 or so years later, many people ask me what the biggest threat to today's networks within the corporate environment.  As a median response, I ask as a opening question, ‘do you know what's bad in your network/systems/access points and are you doing anything about it?’  The response is usually lukewarm, sometimes there is a strong level of assurance, sometimes not; but what is constant is that it has been the same biggest strategic threat to a corporate infrastructure for about 15 years. However, there is a shift that is going on here; the level of awareness within industry and the market is moving from the 'don't know what they don't know' to the 'don't know what they know.'

And this is the most dangerous conundrum that a company can be in, because once you don't know what's in your network and people realise that it's a problem...then it's clear that something needs to done.  Standards like PCI DSS have been trying for nearly 10 years to get people to understand what data they are processing, and given that the standard is slowly becoming more prescriptive and part of 'business as usual', a token presence in front of the QSA isn't going to cut it.

Also if you thought that the raincloud of PCI DSS was going to be a case of staying indoors whilst the rain fell, then there is the storm on the horizon in terms of the implementation of the EU General Data Protection Regulation.  I'm not going to list the FUD facts here, but it makes PCI look like chicken feed. Fines will hurt and reputational damage through compulsory disclosure will keep the PR people busy.

It's part of the security maturity process (and yes, we have a nice powerpoint slide on this); once you have moved from the 'don't know what you know' to the 'know what you don't know' then you will have a better handle on your information flows  within your networks.  I take the view that once you 'know what you don't know' this means that you have a sight of all the information within your network, and its case of having good threat intelligence to see the trends of who and when you are going to be hit.  The added bonus with this plan is that when you're hit you will have an idea of how to react and respond to the hack.

But this is the speak of an infosec manager speaking to his peers, there needs to be a plan to educate the CIO's, marketing, finance, HR and others within the business.  Instead of this message being harped on to members of the infosec community, a progressive message to the finance and HR people should be next on the list.  They are in a position of 'don't know what they don't know' because they see this as an IT problem...but hang on, they are the owners of that data.  IT provide the systems and logins...they are the teams that control, process and store the confidential and sensitive data at a much greater volume that any other department(s) within a modern day business.

So that's my soapbox moment of the week and I think that there might be some comments on this one just for being random, aloof, circumnavigational, odd, bizarre and just downright strange, but it all comes down to one thing...educational, so people are made aware and training so people don't get fired.