If you have nothing to fear but fear itself, rationally speaking what is left to worry about?
On the face of it, the workings of financial markets are a world away from the security industry, and yet there are instructive parallels if you stare a little harder.
Computer security is about minimising risk for an organisation or individual, without making a network or device so hard to use or expensive to run that it is not worth having. Market security - conducted through regulation and the full disclosure of information - is about allowing the market to operate in a way that doesn't mislead investors as to the nature of the risks they are taking so as to distort price.
The problem for both is relating information to real risk without creating either undue hysteria or complacency. Both struggle with this problem.
Investors are often mislead in small ways, and occasionally in larger ways, leading to price distortions. Credit has been cheap in the US because the real risks of complex investments were not being made plain, at least not to everyone. The price was low because risk was seen as being low. The answer? More information, better transparency, more accountability, and a better relationship between these variables.
Similarly, organisations face a security industry that has a vested interest in playing up risk so as to ‘distort' the price of their products. But then again, pricing technology risk is incredibly difficult. Just because companies expend huge amounts of energy talking about security risks doesn't mean they aren't right. IT risk is incredibly hard to quantify without explaining away rare but real threats.
The security industry has since the accounting disasters of Enron and WorldCom become focussed on compliance, a way of making the tangled webs of how money starts out in databases and ends up on balance sheets more transparent to investors and regulators. As with the way markets supposedly strive for transparency through regulation, it's less about buying a particular piece of security technology and more about proving that it has been deployed properly by waving an audited piece of paper.
Many have complained that compliance adds up to less than it seems, while adding cost and inconvenience, but it has chundered on because there's nothing else to put in its place. Compliance is IT's attempt to rationalise transparency, however imperfect. It's a fair bet that financial regulation will soon mimic this movement, seeking to wave bits of paper at every turn, as an antidote to certain types of recent ‘excess'.
In the end, CTOs, like CEOs and investors alike, believe what they want to believe, subscribing to fairly conventional views of risk. Financiers and journalists are queuing up right now to deconstruct the failings of neo-liberalised markets in amazing detail and often with great sophistication. These are bright people. The problem is it's all after the fact. The time for brainy suggestions was probably at least five years ago, a moment when such wisdom would have been laughed at as alarmist, negative nonsense.
IT is probably less naïve in its belief in security technology than were investors in the markets, but there are some disturbing parallels. No company has ever been brought to a standstill by a serious security breach even though it is very possible that it will one day happen. No organisation has ever lost a large database that has been exploited by criminals on a financially disastrous scale soon after even though that is also a real possibility. Insider security breaches - theoretically the most serious - are still said to be rare even though they don't have to be common to be serious.
As with the financial markets, there is only one sound way to manage risk and that is using the ‘canary in a coalmine theory' of security. Forget looking for the perfect security product or the most secure OS because neither will ever exist. Forget looking for the most trustworthy security manager because he or she has yet to be born. Don't try to create the perfect, fraud-free market, because it would be one with so many overseers and margin-takers that the new Wall Street would end up making North Korea look like a model of capitalism.
It is far better to put in place early-warning systems, systems or people who can notice when something is going awry. There were a few people who warned that markets had lost their transparency before Wall Street imploded, but the powers that be and ordinary investors were not tuned to listen.
The ‘seers' of trouble ahead are often people on the margins of those considered worth listening to. They will be people touched by trouble in the past, those who know the worst kind can come out of a plain blue sky as easily as the eye of a storm. If you're lucky you'll know one or two people from this unusual group.
The security technology of the future will be all about replicating this type of intuition, the ability to spot the unusual, to see tiny patterns around the margins of the usual flood of alerts nobody takes seriously. The best security systems, the best security people, are ones who spend their time searching for trouble. The risks look small in simple number terms, which is why you don't hear about them often. But they are the ones that stalk everyone.