Security doesn't come from building castles. It comes from people taking action to defend themselves.
In the middle ages, security was simple. If you wanted to be safe, you found a steep hill and built a castle on it. Add a network of walls, ditches, moats and battlements, and you could feel pretty secure.
Problem is, most castles were starved, not stormed.
Once you were locked up inside the castle, you had limited access to fresh food. An attacker just had to sit outside and wait for you to starve. And while they waited, they had the run of the valuable real estate surrounding the castle.
Eventually, to be truly secure, you had to leave the castle and face the attacker.
That pretty much describes the state of IT security these days. We draw a series of boundaries between some secure zone inside the corporation and the dragons outside.
We deploy a complex array of firewalls, intrusion detection systems, and suchlike to defend these boundaries.We write policies restricting access to services outside the boundaries. We create a mindset that the outside world is dangerous, to be avoided.
Then we sit back and wait to starve.
We starve ourselves in several ways.
We cut ourselves off from customer contact. Let’s face it: our customers are on Twitter and Dropbox and Facebook. They want to chat with and about us.They want to share photos of our products.
If it’s hard for our people to engage with them, then we look aloof and disconnected.
We cut ourselves off from partners. Organisational boundaries are porous. We develop products in partnership with other companies.We sell and service those products through a web of distributors and other intermediaries. We rely on a complex supply chain.
And we do all this in real time, with increasing pressure to respond to events both rapidly and in a nuanced way. When we put barriers around ourselves, our partners go elsewhere.
We cut ourselves off from innovation and learning. Barriers make it difficult to receive feedback and reinforce people’s tendency towards tribalism and groupthink. They filter out alternative views.
Safe within our walls, it becomes harder for people to generate fresh ideas. We become increasingly slow to recognise problems and deal with them.
We create a false sense of security. People start to rely on the machinery. The more we spend trying to engineer perfect defences, the more people believe that systems will protect them from all harm.
So they begin to act in unsafe ways. Perfect defences don’t exist. People need to act sensibly in the face of subtle, socially engineered attacks that no set of firewall rules can ever defend against.
Of course, there are real security threats out there. There is an active industry engaged in stealing and reselling identities and credit card numbers.
It’s relatively easy to buy a botnet and hence launch a denial of service attack. Most websites are regularly probed by hackers. We need to put appropriate protection around our online assets to defend against such attacks.
But we shouldn’t pretend that this protection is anything more than an initial barrier to delay our attackers. Eventually we need to go out and face them.
So, as ever, true security depends on human vigilance and willingness to act.A true Chief Security Officer is therefore going to focus on equipping people to deal with the threats.
He or she will focus on education, looking at elements such as:
- Motivation. How do attacks damage the organisation? What benefits accrue when people take an active role to defend themselves and the organisation’s assets?We need to make the threat real, without scaring people into inaction. A tough balance, and one where simple scare tactics are counterproductive.
- Recognition. How do we recognise risks and threats as they appear?
- Response.How can people avoid risks without closing off opportunities? How should they respond to attacks? What is the right balance of risk and reward?
- Practice. There’s no point in having a sword if you don’t regularly practice with it – it’ll be useless when you really need it. The same goes with all the tools of technical security. People need to know how to use their personal firewalls, remote wipe facilities, etc.
- Infrastructure. None of this precludes the need for corporate firewalls, intrusion defence and other infrastructure. We need to put this in place, but as a support for personal defences not as a replacement for them.
Ultimately, security comes when people take action to defend themselves.Building technical castles is no more sufficient than building stone castles was in the middle ages.
The unintended consequences of those technical castles, in terms of lost customer interaction and innovation, is often just as bad as the original security threat.