I’d like to talk about a dirty little secret in the cyber world: most system owners/operators want to do authentication and signing on the cheap. Fact is, the userID/password model in use since generation 1 of the computing lifetime is viewed by many of the online services as sufficient to their needs, while improved identity management for authentication is considered by these same managers as overly complex and expensive. Furthermore, most of the systems managers say they’ve never been attacked and don’t think they’re likely to be attacked.
There’s no arguing with the fact that the userID/password implementation is less expensive and simpler than implementing a high assurance trusted credentialing solution for authentication and signing. That said, there is a substantial hidden or overlooked cost for maintaining this rudimentary solution . The operational cost of managing a database of userIDs and passwords is buried in the overall cost of maintaining the system that houses it, but it’s real enough. As is the cost of helpdesk support (human or automated). Additionally, the risk of attack is real, and the probability of attack is getting greater, not smaller. Still, it’s hard to quantify the cost of the risk at budget time when the manager is going up against the rising cost of everything from electricity to toilet paper.
Risk calculations are part of the toolset of the cybersecurity folks, and higher assurance credentialing is one of the mitigating technologies they can deploy. But cybersecurity folks get very little respect at budget time themselves. So the usual model finds the IdM guy and the cybersecurity guy fighting over the crumbs left on the table. But I digress.
As governmental services, including the workflows of the regulatory agencies, move online, the risk assessment math changes. The formula stays pretty much the same but the numbers change. The cost of a breach goes up logarithmically. The fines for privacy breaches are just the beginning. There’s loss of credibility among customers and business partners, opportunities for competitors to steal the cheese and the negative effects on other project budget lines when the victim is forced to spend unbudgeted funds on security consultants, repair services and new software tools to address the damage. On top of all of that, the new security practices disrupt most of the workflows in the victim’s business processes.
So what’s the cost of all this to the firm? Until the spit hits the fan, nobody wants to know. But it’s a good bet that one of the costs is the head of the underfunded cybersecurity guy, who gets to be the corporate scapegoat. In the TV drama world, he or she would find happiness in a new career selling toilet paper to industry at a higher income. In the real world, things aren’t so happy.