Security and Marketing, two zeitgeist kids growing up the best they can
Marketing and Security may seem like strange bedfellows, if you imagine a party then Marketing would be the life of the party and centre of attention, while everyone would expect Security to be skulking in the corner. A strange paradigm shift has recently taken place and now Security and Marketing are now close friends. The reason for this odd couple relationship is Social Media. Marketing loves Social Media because people use it and have embraced it with a fervour that is quickly and radically changing the human condition and the way we communicate with each other. By a strange coincidence, Security loves Social Media for the same reasons.
The increasing diversity of our means of communication and the devices that we use to do this presents some extremely difficult challenges for Security. It is no longer the case that text-based communication takes place from a personal computer and voice communication comes from a single function telephone. The PC is now making voice and video calls, the phone can do pretty much everything the PC can do and a whole new cornucopia of communications is enabled by Social Media. Email as a primary means of business communication is in swift decline and I work with people who if I need them to read an email, its usually quickest to prompt them to check their email via social media or text. The problem for Security is that we had worked out how to own the PC and control email so tightly that nothing could leak or go wrong. Once again Moore’s law has humbled us!
Suddenly everyone is communicating via any of a few dozen Social Media platforms, on any sort of communications, gaming and even navigational devices and any semblance of control or “locked down” approach has become a challenge. In this exciting world of new availability, any attempt by Security to prevent people communicating and sharing experiences by traditional prevention-focussed measures is doomed to either fail or cause resentment. Where successful preventions are put in place, like water flowing around an obstacle, people find a different way to communicate and share. With this incredible diversity of channels and devices, Security needs to rethink and find ways to still protect people and information from abuse and misuse, that still allow people to do what they need to do.
Social Media is ironically both part of the cause of Security’s existential crisis and its one of its possible paths forward. The fabulous thing about Social Media is that people use it and, like a school of fish, there really is security in a group. All these people all using social media together start to demonstrate patterns of behaviour. As both a group’s and individual’s usage of social media continues, the ability to predict expected behaviour, its heuristics, becomes increasingly accurate. These patterns of behaviour including probable times of activity, duration, probable location and device type make it increasingly difficult for a malicious person to pretend to be someone else. Funnily enough all of this behavioural analysis is also remarkably useful for Marketing.
A risk-based, rather than prevention-orientated, security approach and policies become feasible. Security can focus its efforts not on preventing people doing what they want to do, but using heuristics and dynamic risk assessment tools, concentrate resources on those actions that are most likely to be malicious. Not only is this risk-based approach more popular, it saves money and makes possible richer functionality. This enables people to communicate and share with an acceptable level of security and Security and Marketing can enjoy the party together!