This past summer’s hacking of secure personnel information at The Office of Personnel Management started me thinking about the 1994 movie Pulp Fiction. We all need to take a hard lesson from that film, in terms of how we protect what’s important to us.
In Pulp Fiction, a boxer named Butch has a gold watch–a memento from his father who died in a Vietnam prison camp. Over the course of the story, Butch has to make a hasty getaway, but at the last minute, he discovers his father’s gold watch is missing.
Butch is unwilling to run away without the watch. That watch was Butch’s “one thing,” and he knew it. Unfortunately, he wasn’t sufficiently careful about securing it, and trying to get it back meant undergoing suffering and pain.
Whether in our personal lives or on the job, we all have “one thing”–that item or asset that most needs protecting and preserving. The one thing that is so important that, if your house were burning down and you had to make an escape and could only grab one thing, it would be this.
This summer, The Office of Personnel Management lost its “one thing”: the secure control of essential government personnel records. The records are there, but the confidence that they are secure is gone forever. Since then, the Office of Management and Budget has introduced its Cybersecurity Strategy and Implementation Plan (CSIP). This may be a step in the right direction, but it really serves as a reminder that very few of us even know what our “one thing” actually is–or what we need to do to protect it.
Six months later we’re all still dealing with the blowback from the OPM story. What have we learned? By all appearances, nothing. The conversations are the same as they were before, and cybersecurity plans appear to be pretty much the same, as well. We all seem to be running around, just talking about the need to do something: “Seal the perimeter, update the patches, continuous monitoring, just do something!”
We need to stop and think about what security means to each of us. What is our “one thing”? At the service level, department, command, or agency? What is it we can’t afford to lose here? If we don’t know–if everyone in your organization isn’t in agreement on this thing–we cannot proceed.
If you really have more than one thing, make your short list, or top five, or even top 10, and sort them by risk priority. Once you have your list, there are three main areas of analysis you must conduct:
- Access: Who can get to it and how? Is it safe?
- Systems: Are the systems where it lives sound? Are they protected? Are they safe?
- The asset itself: When access protections fail (and they will), when system security fails (and it will), how can we be sure that the “one thing” is not, will not, cannot be lost?
With all that in mind, remember that there is only one real way to secure a digital asset, and that’s with strong encryption and key management. Your “one thing” needs to be encrypted, and the encryption key has to be managed to keep it out of the wrong hands. That’s the only way to ensure your “one thing” is secure–at rest, in use, and in motion.
What about the cost? It’s true, there is a “tax” that comes with this type of security. You’ll be paying that tax on performance, availability, and convenience–costs that weren’t considered when service-level agreements and system designs were set.
Can we afford the cost? Let’s answer that question with a question: How important is your “one thing” to you? What is the cost if that “one thing” is lost?
Ask OPM Chief Katherine Archuleta. Oh wait, don’t bother. She is gone, just like all of the data she was responsible for protecting. My info, maybe yours, too. Still there, but gone.
Like Butch from Pulp Fiction, Archuleta lost her one thing, and it cost her (and us) dearly. Don’t do the same. Make sure you encrypt your data and have a careful strategy for managing your encryption keys.
Tom Callahan is VP of Sales for SafeNet Assured Technologies, LLC.