I find it unbelievable people still pose this question. Over the years the data on incidents has been used to suggest that outside attacks on companies are a bigger threat, or inside attacks, but somehow in the fray some people have been led to believe that they can still operate with the “candy model” — hard on the outside soft on the inside.

Some recent news stories have provided fertile evidence of why so-called insiders are as big, if not bigger, threats to system security.

A company that is serious about investigating incidents will know that the more successful they become the more porous their perimeter, and so internal vigilance and controls are essential elements of their very identity.

First, a story of a neo-Nazi group recently tracked down in Israel, based on complaints from victims:

Police discovered the skinhead ring after investigating the desecration of two synagogues that were sprayed with swastikas in the central Israeli city of Petah Tikva more than a year ago, Rosenfeld said.

Police computer experts have determined they maintained contacts with neo-Nazi groups abroad, and materials seized include a German-language video about neo-Nazis in the U.S.

Where was the gap in the perimeter control?

Under Israeli law, a person can claim citizenship if a parent or grandparent has Jewish roots. Authorities say that formulation allowed many Soviets with questionable ties to Judaism to immigrate here after the Soviet Union disintegrated. About 1 million Soviets moved here in the late 1980s and early 1990s.

[police spokesman Micky ] Rosenfeld said all the suspects had “parents or grandparents who were Jewish in one way or another.”

[…]

Amos Herman, an official with the semiofficial Jewish Agency, which works on behalf of the government to encourage immigration to Israel, said the phenomenon was not representative of the Russian immigration.

He called the gang a group of frustrated, disgruntled youths trying to strike at the nation’s most sensitive core.

“We thought that it would never happen here, but it has and we have to deal with it,” he said.

Many companies with a comparable situation, when insiders do the unthinkable and essentially turn against their own identity, are highly unlikely to ever reveal or acknowledge the problem let alone discuss it openly in the news.

Next, consider the blog chatter that the GOP has been overrun by (or is representative of?) perverts:

I’m sure an enterprising winger blogger could come up with a similar list of “naughty” Democrats, but I’ve found a nice list that bolsters the assertions I made previously about perversion being endemic in the Republican party.

The absolutely huge list (I lost count after 50), includes everything from allegations to convictions. Even Schwarzenegger’s name is there. It is truly depressing and sad. But the point is that it highlights the problem with banging the perimeter drums while ignoring the fact that security is not a wall with a gate, but rather a mindset based on values that are consistently measured. In other words, if you maintain a shallow gauge to determine foes (e.g. a stereotype of Russian immigrants as bad) then you most likely have an equally shallow gauge to determine friends (e.g. a stereotype of elected Republicans with family values).

The bottom line is that there really is no “inside”, just like the concept of “national” perimeters continue to erode. Good security professionals can help raise the bar in the post-nation-state world and build more reliable trust systems.

What do you base your trust upon?