How a Common Corporate Policy Promotes Data Theft

Bob Young
5 min readDec 19, 2018

Securing your data requires a new way of thinking about your data.

CEOs: I’m going to tell you what you want, and then I’m going to punch you in the gut.


What You Want: Data Ubiquity.

Data Ubiquity may be described as,

“I want access to

all of my data,

at any time,

on any device,

from any location.”

The Gut Punch: It’s impossible to secure it.

I know, I know. Your Head of Security, whatever title you gave him or her, is giving you all kinds of assurances. But all of those assurances are couched in heavily conditional language, aren’t they?

“No data is ever one hundred percent secure.”

“The data is stored securely, but there’s always the possibility of an insider attack.”

“I can secure the data, but I can’t vouch for the security of the operating system, because someone else provided it. And I can’t vouch for the security of the applications, because somebody else provided them. And I can’t vouch for the security of the network hardware, because somebody else provided the routers and switches. And I can’t vouch for the security of our ISP. And I can’t vouch for the security of the Internet. And I can’t vouch for the security of our cloud service provider’s architecture.”

“BUT — I assure you — our data is as secure as we can make it, using industry-accepted best practice, and within the budgetary constraints you gave me.”

The reality is, because you insisted on Data Ubiquity, you now live with two unyielding truths.

Unyielding Truth #1: Your attack surface is infinite. All of your data can be attacked from anywhere, at any time, by anyone using any device. Wait, what? You think I slipped something in there? “Anyone” wasn’t part of the definition of Data Ubiquity, was it? Ah, yes, but — “anyone” is indeed part of your current attack surface, because of the second pesky, unyielding truth…

Unyielding Truth #2: User authentication will inevitably be compromised. Yes, inevitably. Look at the number of breaches…



Bob Young

CISO, Director of Information Security, and Security Consultant. Also, I wrote some books that have nothing to do with IT.