As a Director of a team of 28, I tried very hard to install a culture of both self-reliance, and innovation. This could be summarised by the phrase; “Don’t come to me with problems, come to me with solutions.” I have tried as much as possible to build that into my blog posts as well.
Not this time however, this one’s just me babbling.
My theory stems from the fact that there is no such thing as 100% secure. That with the right motivation, skill, and time, a hacker will get in. Anywhere. The hackers in question spend a significant amount of effort mapping the target systems to eventually find the weak spot(s), and because the environment rarely changes, their end goal is always achievable.
The analogy used most often in security is one of a castle. You build up many layers of defence (thick walls, moat, arrow-slits, battlements etc.) and your most precious possessions are held in the most secure room in the centre of it. However, because that castle can only change very slowly, a concerted attack will eventually result in the loss of the ‘crown jewels’.
All it takes is time.
However, all of these defences are really just a means to an end, it’s the data itself that’s the only thing that matters. The real problem therefore lies not so much in the systems, but their predictability. Spending money and resources on more and more ways to protect the systems is just building higher walls. Eventually you have to stop, and eventually someone is going to break them down. And to take the analogy one stage further, the higher the walls, the more fragile they become (see Insecurity Through Technology).
So what can we do when the rising interest in privacy, and the ongoing train-wreck that is PCI, is causing a tidal wave of new products and services all claiming to be the missing link in your security program? Oddly enough (given my dislike of buzz-phrases), the only one that makes sense in the context of this blog is Cloud based services, where scalability, redundancy and resilience are generally built into the platform from the beginning. A system goes down and you plug in a new one.
But how about taking this one stage further? Don’t just replace when something breaks, instead change as a matter of course! From firewalls, to servers, to encryption, even as far as location, change something in your environment to negate as much of the hacker’s reconnaissance as possible. For every benefit, there will be at least one, or even several, reasons to keep things the same, but the benefits are extensive:
- Security – The entire premise of this blog; if you change things frequently, bad-guys fre less able to keep up and the rewards become less and less worth the effort. Back to building your fence higher than your neighbour.
- Simplicity – To even think about replacing a system outside of a disaster recovery scenario, everything you do has to be simple. There is no security without simplicity.
- Business Transformation / Competitive Advantage – I contend that in terms of competitive advantage in the Information Age, any head start will be closed in a matter of weeks / months, not years / decades. Any organisation that has the capability to quickly change aspects of their environment clearly has a thorough understanding of their business processes. Understanding is knowledge, the correct application of knowledge is wisdom, or in this case; appropriate transformation.
- Business Continuity – Most organisations have distinct gaps between their continuity needs, and their ability to meet them. Even if Incident Response and Disaster Recovery processes are tested annually, only an organisation that makes significant changes frequently has the well-honed skill-set to meet or exceed the continuity plan goals. Practice, in this case, can indeed make perfect. Perfect enough anyway.
- Innovation – Only from simple and well-known can innovation be truly effective. When you’re not worrying about how to keep things running and can focus on what else you could be doing with what you have, you are free to be either more creative, or recover quicker from your mistakes. Too often the inability to adjust begets the fear to even try.
As I stated previously, there are probably more reasons that this theory is completely unsustainable than there are apparent benefits, but I don’t think that means it’s not worth a try. Humans tend to overcomplicate things and then get lost in the detail, but with simplicity comes the freedom to focus on what really matters; the data from which all of your knowledge springs.
[If you liked this article, please share! Want more like it, subscribe!]