Picture this. Amsterdam, September 2013, in front of the world press the Museum Art Director of one of the worlds renowned repositories of art steps forward. He’s here to break the news that for the first time in 90 years, an unknown work, of arguably one of the best known artists, Van Gogh, had been discovered.
Journalists, in the audience, pressed the specialist on the validity and authenticity of the claim. After all the world of art is full of examples where something is claimed and even looks to be legitimate, much like those phishing and spear phishing emails, or the request to connect from an apparently trusted source, only to turn out to be someone or something impersonating someone else. A case of mistaken identity or identity theft? The Art Director responded that they had a process for authenticating art.
In this case the authenticity was based on 2 years research. Several techniques were used to help authenticate the painting. These included the style used, forensic analysis of the paint compared to other known Van Gogh’s, reference’s to the painting in a letter from Van Gogh to his brother, the discovery of the location and the point from which it was painted, the fact Van Gogh lived in the area in 1888 at the time the painting was made and the existence of a number “180” on the painting which was crossed referenced with an itinerary of Van Gogh’s brother’s, own collection of his brothers paintings. These techniques were sufficient to satisfy the Museum that making a claim of authenticity would not place its reputation at risk by making a public statement in front of the press.
What struck me, as I watched this news breaking on my television, was the shared challenges, terminology and processes between the world of art and information security.
As with information security, the world of art and Museums, such as Amsterdam’s Van Gogh Museum, have standards for authenticating claims which are internationally recognised. Policies exist within museums covering how to authenticate art and when to make public statements about the authenticity of art. Processes exist to support policy. Controls/techniques are in place to reduce the risk that claims about authenticity are not accurate and stakeholders in the process have the skills and experience to complete their tasks effectively.
The analogy between art and information security, in what many would consider two seemingly different worlds, could not be more better illustrated.
On a final note, if you get the opportunity to visit the Van Gogh Museum, as I did as part of my research into The Science Behind The Analogies Project, find the painting, Sunset at Mountmajour, and give it some undivided attention and remember the hidden information security story it and its discovery tells.