Information Security Evolution

Newsletter Update

From now on, free subscribers will receive a weekly short read on topics such as application security, cloud security, GRC, updates in regulatory bodies, DevOps/SRE, new trends, product management, product news, and career growth. There will be one free post for non-subscribers, but most of the content will be exclusive to subscribers and available only via email. You are warmly invited to join this journey to stay updated and gain valuable insights !

Information Security Evolution

Everything on Earth evolves. Humans and other species have evolved through all the periods of Earth's history, and here we are! In the realm of software technologies, software has also evolved significantly from what it once was. It's interesting to talk about change because change is what drives evolution. Change is a domino effect: when one thing changes, it causes another to change, much like a butterfly effect, where there isn’t always a direct causal relationship. Evolution depends on change, and change is deeply connected to the environment with which the subject interacts. How do you think information security is evolving? What influences the evolution of security?

Environment:

Let’s talk about the environment. A good environment can lead to positive outcomes, while negative elements can alter the environment, and vice versa. In evolution, the environment plays a major role in shaping how evolution unfolds.

The information security environment consists of:

1. Bad threat actors

2. Ethical hackers

3. Legitimate users

4. New technological innovations and tech evolution

Red Queen Effect:

“It takes all the running you can do to stay in the same place.”

You have to keep moving to stay in the game. You need to play the long game, which is about survival. For species, it's about surviving. As Jurgen Appelo said, "Success is the postponement of failure." The objective is to avoid dying; similarly, in cybersecurity, the goal is to prevent failure or postpone data breach.

As the environment evolves, security also coevolves, developing better strategies. However, evolution does not always lead to positive outcomes. For example, the advent and global adoption of new technologies has enabled individuals to attack others from anywhere in the world. Users may not have worried about privacy in the past, but this has changed as the user environment has evolved. This evolution has led to improved security through new laws. Security must keep pace with these changes, and organizations need to adopt new technologies and adapt to new laws

By introducing laws and compliance measures, there is an attempt to control the environment, but these measures can never fully keep up with its evolution. Compliance does not guarantee protection from all threats; rather, compliance and laws aim to set new standards and drive a new phase of evolution.

What about SOC 2 and GDPR? These regulations didn't exist before; they were created in response to the evolution of technology and the environment. Has SOC 2 evolved? Is GDPR meant to evolve as threats continue to change? For instance, what about supply chain attacks? Why hasn't SOC 2 addressed them? Compliance is not keeping up as quickly as it should. Changing compliance and laws creates a domino effect, which is why relying solely on compliance is never a sufficient strategy to keep up with an evolving environment. If we depend only on compliance, we risk falling behind.

Understanding the environment is crucial for defending organizations, which is why we must remain vigilant. Compliance often means we're reacting rather than proactively addressing security challenges. Achieving SOC 2 or GDPR compliance does not mean an organization is secure or keeping pace with evolving threats. Viewing security solely as a revenue-generating function is a flawed perspective. It's like comparing warriors to healers: warriors are meant to fight, but there isn't always a battle. That doesn't mean you need fewer healers—having just two healers for every 100 warriors is insufficient. You must be prepared for attacks and have enough healers ready to treat serious wounds.

Today, we might think that a data breach isn't a life-or-death situation—it's customer data. However, invisible wars are happening, where data could become crucial and lead to severe consequences. For example, hospital data being hacked could be life-threatening. As the environment continues to evolve, future conflicts might not involve bloodshed but could target identities, manipulate consumer data, influence elections, or even shut down electricity.