What if Security DID Have a Silver Bullet?

Easy enough to answer; we’d be attacked by hackers who are vampires, zombies, aliens, flesh eating bacteria, and everything else unaffected by silver, just not werewolves. Or maybe werewolves with bullet-proof vests, but I’ve about beaten this analogy to death.

The fact is, and I am probably the 100 millionth person to say it; THERE IS NO SILVER BULLET IN SECURITY! Never has been, and there NEVER will be. So don’t look for it, don’t believe anyone who says they have one (especially vendors) …in fact, don’t even use the phrase unless you’re telling someone else not to use it!

Technology is not the answer …alone. Process is not the answer …alone. Even people are not the answer, although they get the closest. It is a combination of all of these things that provide what every organisation should be looking for in their security program; something appropriate. Appropriate in cost, effectiveness, sustainability, manageability, measurability and every other relevant -ness and -ility out there.

Every organisation only needs security enough to cover the risk to their business. Period / full-stop.

So define appropriate? This is not like asking how long is a piece of string, this is actually very simple. It all falls roughly into 3 categories:

People

This starts with the CEO as the only foundation that matters. If they don’t care, no-one below them will care, and the organisation will never have the kind of security culture necessary to ever effect appropriate security. They will be breached, and they will deserve it.

But why should the CEO care about security, don’t they have better things to do? Let me answer that with a  question; How many businesses are dependant on the correctly applied use of their data assets? Maybe the ex-CEO of Target has some insight?

Any CEO who has not been through a major breach is not equipped to lead an organisation in the 2000’s, but a CEO who cares about security will surround themselves with people who think securely.

Process

Everything a business does is a process of some sort. Either a good one, a bad one, or likely somewhere in between. Unfortunately, if you don’t write these processes down, you have no way of repeating them consistently enough to actually measure their effectiveness. In other words, your business processes are your corporate knowledge, your competitive advantage, and your ability to change all rolled into one.

Without documentation of your business processes, you have no baseline from which to measure your strengths and weaknesses, no way to develop a competitive advantage BASED on your strengths, or to transform your business in the face of competitive loss.

Technology

Purchase of new technology is the last resort of a security program run well, with adjustments to existing processes and reconfiguration of existing technology taking up the 1. and 2. positions respectively. No purchases should be made outside of a risk assessment, and MUST include all of these things or your kit will likely become yet another paperweight of the IT Director’s desk:

1. Is the technology appropriate for the current needs, and the needs of the immediate future only? Anything more than that is excessive, and you were likely sold what you asked for, not what you needed.

2. Who is going to implement it / integrate it? Do you have the skill-set in-house?

3. Who is going to manage / maintain it? Patches? Upgrades? Base-lining / tuning?

4. Who is going to monitor it / perform initial incident response? In-house? Managed service?

5. How are you going to measure it? You’ve made the investment, how do you know if it’s provided a business benefit?

You implement technology to optimise the efficient output of a known business need, you don’t document processes to cover your new technology purchases.

In the end, security is difficult to do well, especially without senior management support, but it is nevertheless EASY to do if, and ONLY if you don’t try and cut corners.

Looking for a silver bullet is the very definition of cutting corners.

Leave a Reply

Your email address will not be published. Required fields are marked *