A False Sense of Security

Topics in this article

Customers have lulled themselves into a false sense of security.

I have the opportunity to speak with customers daily, and when the conversation evolves to data security, these are usually the responses I receive:

  • “…we have RAID protected data…”
  • “…we have redundant controller architectures…”
  • “…we do replication to another secure facility…”

…and the list of data protection bullet items continues to grow.  In my head, I can only imagine the conversation taking place is something like this:

IT Chief Architect: Hello Ms. Auditor, come on in.
 .  .
Ms. Auditor: Hello Mr. Architect. I am here to do an audit of your data security to report back to our senior leaders.
 .  .
IT Chief Architect: That is fantastic, and I can assure you, all of our data is protected under lock and key, surrounded by the finest chains money can buy, and kept in a very safe non-disclosed location.
 .  .
Ms. Auditor: Well, that is simply fantastic; I feel my audit is complete. I only had three requirements and you have answered them all:
 .  .
 . 9 30 14 Chris table
 .  .
 . Audit score is 100% compliant! I will see you next year and Happy New Year.

This is the security protection I find discussed and delivered by some IT shops.  However, as you can see, this vending machine also passes the same “audit” checklist:

CG - False Sense of Security - Image 2

In the backup discipline, leadership usually does not care about a backup, but all of them certainly care about the restoration.  The same holds true within the security discipline.  All is secure and tidy as long as there is no data breach.  The moment the perimeter is compromised, everyone becomes interested in the audit results and asks “how could this have happened?”

Here is what I recommend, take a fresh audit of your questions, not the answers.  You cannot expect valid answers if you have invalid questions.  If you do an annual security survey, or any survey for that matter, it may be wise to never have a repeat question from year to year.  You may just find out a piece of critical data by asking the question in a slightly different angle to poke in areas not explored before.

When I ask customers:

        • How many do data at rest encryption?
        • How many destroy your failed media drives?
        • How many would pass an independent audit… not predicted – but today, right now?

…everyone usually looks around the room…in horror…

With the recent data breaches at major retailers, and ones that take security and data protection to the highest levels, all of us should take some advice and take a renewed look at our questions, not the answers.

Candy anyone?

*Credits to Vickie Agolli for the great picture and for playing the role of Ms. Auditor.

About the Author: Chris Gaudlip

As chief technology officer (CTO) for Dell Technologies Managed Services, Chris Gaudlip provides visionary leadership for Dell Technologies Managed Services customers. Chris brings 25 years of experience at Electronic Data Systems (EDS) and Perot Systems to his role at Dell Technologies. His accomplishments include pioneering Dell EMC Proven Certifications, filing multiple pending and approved patents for his innovations, and designing solutions for Fortune 500 customers. He was recognized for his achievements by being selected as an Dell EMC Distinguished Engineer – Lead Technologist in 2011. In his current role, Chris is actively involved in Dell Technologies sales efforts, technical validations, and directing the future endeavors of Managed Services. He is the customer liaison and advisory consultant for the Managed Services offerings. Dell Technologies' customers look to him as a trusted advisor. When not traveling or reading up on the latest technologies, he can be found at his favorite hunting and fishing spots.
Topics in this article