Finding The Hidden InfoSec Story

The Magic Circle

Photo Credit: TGKW via Compfight cc

How could a gentleman’s club nearly one hundred and ten years old, have anything to do with information security? Well I can tell you now, more than you would initially suspect.    The Magic Circle was formed in 1905 by three professional magicians at London’s Pinoli’s restaurant, to promote and advance the art of magic.  It has a Latin motto of Indocilis Privata Loqui, roughly translated as “not apt to disclose secrets” as any member who does is subject to expulsion.  Now is this starting to sound more familiar?

The Magic Circle operates to promote the good practice of magic, which in itself is a technical discipline and I am not sure anyone would dispute, is anything other than the art of illusion.  However, within the confines of the circle, if the motto is to be believed, anything shared is safe and sacrosanct.  This might lead people to the mistaken belief that if there is true secrecy, then maybe openness is more acceptable in these privileged confines.  When we assume we are safe, just how far do we let our guard down?

Think about the last few years of high profile magicians, including the outrageous Penn and Teller, well let’s face it, you would not want your daughter bringing them home.  They have made a career of performing magic and then showing people how it is done.  Do you feel the walls of the Magic Circle stating to quake and shake with the virtual trumpet being blown, al la Jericho?   The Roman poet Juvenal in his Satires coined the much used phrase Quis custodiet ipsos custodes or who will watch the watchers.

Now we are all aware of the benefits of a whistle blowing culture.  When the wrongdoing of others is exposed, hopefully without a backlash against the whistleblowers themsevles, then this approach is a perfect safety valve. However, when what is being shared are the details of how to perform the latest trick then a lot of people can see an adverse impact on their livelihood and reputation.

There is a parallel here with the way we perceive our secure environments. When I turn up to work in the morning, I have the wonderful feeling of the warm safety blanket wrapped around me provided by the bank. There are physical, procedural and technological elements in place to make me feel secure.  I can relax my guard as all the naughty people are on the outside looking in, surely?  Well how many hacks are really about people already within your organisation?  How many Penn and Teller’s do you have working for you?  How many will take your wonderfully safe little world and turn it upside down?

There was a huge amount of focus a few years ago on how the press were finding out about internal pieces of corporate information.  A memo was quite rightly sent out to all staff to inform them of what they should and should not share with external agencies including the press.   The memo appeared in the ‘Here is the city’ newsfeed within one hour.  Somebody read the memo and not only ignored it, but did the opposite and broadcast this information (one would assume for profit). This is all very well I hear you say, but what can we do about a rogue person like this?  This was public knowledge across the organisation.

Well, you are right; things that are in the corporate public domain are likely to get into the global public domain.  Everybody knows the secret of ‘find the lady’ and pretty much everyone can tell what really happens when a beautiful assistant is seemingly cut in half.   But what about that new trick that will give your company a competitive advantage for the next two to three years?  How do you stop that leaking?

I am sure if you check your computer usage guide you signed up to when you joined the company, that all information you store should be categorised according to its confidentiality.  This might be a good starting point to making sure you protect what is important.  Also, like any good boxer, when you are in a fight, however well it is going, keep your guard up.  Don’t assume that another trusted member of your own magic circle of colleagues will not share your trade secret.  The only consequence of sharing knowledge from the original Magic Circle is expulsion. There may be a delightful sense of Schadenfreude when that colleague who gave away your secrets is now escorted off site; but frankly that will not put the genie back in the box.

In closing, I think maybe Siegfried and Roy have got it right.  Keep your secrets to yourself and if at all possible employ a big cat to give yourself an even bigger public image of security.

Author: Dave Brooks

Share This Post On