As a society we are fast approaching a world where everything is connected, our lives will potentially be logged at an infinite level. Connected fridges and cars are the just the first steps toward my shirts having sensors and notifying my tailor that my shirt has been through 50 washes at 40 degrees and has been worn 49 times in average temperatures of 12 degrees Celsius. Therefore he should start tailoring a new shirt for me now because my current shirt is going to show wear and tear in three weeks time. At which point I will come in for a new shirt.
Is it only a matter of time before implanting chips into humans is the norm? The level of data that can be collected from that could be astronomical. There are advantages to this also, my doctor could predict any potential illness and can help me prevent it through lifestyle change or medication. However the thought of having everything connected, with all manner of data being collected and an infinite number decisions being made based on the analytics of that data - That is a scary thought, all the more so given the fact that organisations still don't seem to have a proper handle of data security. The headlines in the media of data leakages continue on a regular basis.
Data is one of the most valuable assets an organisation can have. If used correctly it can be the difference between winning or losing against a competitor. A number of services that consumers wish to use e.g. on their mobile phones, cloud services, retail websites, etc. require the exchange of data - in most instances data that can identify an individual and the behaviour of that individual. As a consumer, you cannot get by without some data being exchanged with a service or product provider. You could forego such technology but you will very much been seen as an outcast or misfit in society. With the level of data being collected from consumers, it is only fair for the consumer to have a level of confidence that their data is being reasonably protected.
How we communicate information security needs to change. Information security needs to be front and centre of every product or service that we purchase. It needs to be visible on every website we go to that collects data or downloads software onto a users device. Understanding information security must not be preserve of the information security practitioners. A consumer, any consumer, must be able to quickly digest and understand the state of an organisations information security posture in less than 10 seconds.
Every product or service ought to have an InfoSec Graphic that illustrates an organisation's (i.e. the organisation that developed the product or service) current state of information security control. The InfoSec Graphic should depict the key categories of information security control. These categories must be agreed upon as the industry standard and each organisation should be rated against these categories.
The InfoSec Graphic is to give the consumer an opportunity to make an informed decision on whether he or she wants to give his data to an organisation. If a particular category is rated M (medium) or H (high), it indicates a failure of some sort with that particular category. To get more details on what exactly failed and why it has been rated M or H, the user can click on that particular category to get more details. The Infosec Graphic depicted below shows IAM being rated M, this could mean that there has been an IAM control or process failure on a system that is not critical to the organisation or one that does not process personal data.
It is easy to consume baseline information this way, and a consumer will be instantly made aware of an organisations level of information security control. Consumerisation of technology should also extend to information security. The consumer now decides if he or she purchases the products or services of an organisation based on their information security control rating. The worse the rating the higher the likelihood of consumers moving to a competitor, the threat of an organisation losing customers to a competitor has a far greater impact on an organisation than any regulator fine. An organisation would therefore be compelled to better their information security posture.
Watch this space for a more in depth study…