Recently I’ve read the book “Fifty Shades of Grey”. I didn’t care for it much… It’s interesting though that there are parallels with diverse principles in information security.

For those who did not read the book or see the film, a short summary of the story. Fifty Shades of Grey is about the recently graduated Anastasia Steele, who starts a relationship with young businessman Christian Grey. Christian and Anastasia negotiate the content of a BDSM contract which states that Christian may subject her to sadomasochist roleplay. This stems from Christian’s permanent fear of letting go of control and showing vulnerability. The title refers to Christian’s diverse and often rough moods and mood swings that Anastasia gets to know over time.

So what are the parallels with information security? I will list them below.

Rather than only being exciting, the book inspires its readers to start experimenting themselves, and contains the necessary practical tips. Many information security policy reports can learn from this. Not only provide they little excitement, they do not invite the reader to become aware of the risks; let alone that such reports stimulate mitigating those risks with proper security measures by providing practical guidelines to the reader. This calls for improvement!

Next to that, Christian is afraid to show vulnerability. He hides his true identity; this parallels aspects of the digital realm such as identity fraud, reliability of authentication, anonymisation and pseudonymisation and privacy. All aspects which we’ll see a lot of in 2018 with the coming of eIDEAS and the GDPR, amongst others.

Speaking of the GDPR; an important element of the GDPR is the processing agreement. You might see it as a BDSM contract. The GDPR sets new and additional requirements to the current processing agreements, such as arrangements on what happens to the data after termination of the agreement, the duty to report data breaches, potential fines, PIA’s, confidentiality and audits. If you have processing agreements, it is wise to check these before May 25th 2018 and update them in accordance with the GDPR. Be aware that this requires customization, for which you mainly need to consider how to control matters at the processor.

Furthermore, Christian Grey wants to be in control. The same thing is said by many managers when it comes to information security. The question is whether this is realistic, especially when cooperating a lot with partners in a chain or network. It is important however to have your information security in order by knowing where your risks are, which measures to take, and what to do in case something does go wrong. By arranging an information security management system, you’ll create structure and overview and will be able to account for yourself. Here at InnoValor we’ve recently successfully completed an ISO27001 certification process, and I must say that it has provided us with much more certainty about our information security.

Sadomasochistic roleplay and information security? Indeed! I’m referring to ethical hacking which is currently booming. Many organisations wilfully hurt themselves by hiring someone to test the vulnerabilities in the information systems. A roleplay that is based on inequality and vulnerability, like in the book, is now practiced in ICT. This refers back to Christian Grey’s rough and sudden mood swings. Expect the unexpected, since this is often the way hackers will attack.

Finally, the title itself: Fifty Shades of Grey. This generally applies to information security, too. Security solutions cannot be limited to one shade; rather the strength of the security is in its multiple layers and flexibility. Defence-in-depth and the ability of the security to adapt to the situation. Especially the latter is useful in the context of BYOD or BYOID. Just think of context dependent access rights and step-up continuous authentication. Likewise, there isn’t just one shade of risk either; these have gradations as well. Or in Grey’s terms, what is considered exciting and risky, and where does control end? What is your organisation’s ‘risk appetite’ and where does information security end, because it becomes too expensive or impractical? Solutions like risk-based authentication and authorization are examples of this.

Surely, there are more parallels to be found… I would love to hear them form you!