What follows is an analogy that I have been meaning to write for years, but, like all great procrastinators, I let life get in the way.
Be warned however, I have taken significant ‘poetic licence’, and generalised outrageously, so don’t be too upset with the glaring ‘plot’ holes. I have also written this from the perspective of my own experience running, not from a true runner’s perspective. Anyway, I’m still faffing…
20 years and 20 kg ago I ran a marathon. Certainly not because I wanted to, but because I lost a bet while several pints into a happy hour. And there’s my first comparison; in no way did I want to run 26.2 miles (even for the worthy cause I ran it for), just as no organisation wants to spend money on security.
I ran because I made a promise, so in my mind I had a specific and unbreakable obligation to follow through. For organisations it’s actually a lot simpler, there are regulations/laws, contractual commitments, and a plethora of other obligations to fulfil. They, quite literally, do not have a choice, yet often choose to do nowhere near enough.
Next I had to work out HOW to run a marathon, and just like security, it’s very simple, but extremely difficult. Perhaps one in a thousand people can run a marathon without training, just as VERY few organisations will naturally develop an appropriate security posture out of the gate. You have to go out and find the right expertise to help you, and for that you have to ask the right people the right questions.
Like runners, I’ve never met a security person who does not want to help, it is quite literally in their nature. In fact, they don’t just want to help, they go out of their WAY to! Often without being asked, why do you think so many of them write blogs?! So I found a right group of like-minded people and we took the advice of an expert marathon runner.
Next, I needed a plan, and this is where the analogy breaks down a bit. I was only going to run one marathon, so my only plan was the finish line 26.2 miles away. There is no finish line in security, it never, ever, ends. But if I was a professional runner, the analogy holds true, as the finish line of one race is just part of a plan to reach whatever level of running is right for you.
The best thing about having a plan is that forces you into an early understanding of ‘appropriate’, as anything more or less than that isn’t going to get you where you need to be. Too much or too little can, and usually will, get you into trouble.
Next, to run long distances, you will need the right equipment. From running shoes, to clothing, to water bottles, to supplements, the appropriate equipment will be different for every runner in the race. What you won’t/shouldn’t do is make the assumption that the equipment ALONE will get you across the finish line. It won’t. Ever.
So why do we throw technology at a broken security processes? You would not allow the manufacturer of running shoes to make the outrageous claim that you don’t need to exercise. And you would also not believe a provider of energy drinks with claims you don’t have to watch what you eat. Yet organisations spend billions on security technologies that are equally unrealistic.
In the end ‘silver bullet‘ claims are ALL lies, as the only thing that works is ‘putting in the miles’.
Now you have to maintain. If I had run just 3 or 4 miles a day after the marathon was over, I would not be far off the capability of marathon distance to this day. As it is, I am back at the very beginning. Worse actually, because I know what I have lost, and can see first hand in the mirror the consequences. Same with security, if you treat security as a one-off exercise you have completely lost any argument related to accountability because you DO know better.
There are many other aspects of security that I could compare, but this blog is long enough already. However, the most important thing to keep in mind is that just like running a marathon, there are no shortcuts to good security. No amount of technology or gimmick is going to get you across the line, only bloody hard work, and a plan.
And for those looking for the right help, whose advice are you going to take, someone who’s actually run a marathon, or someone who sells running shoes?
[If you liked this article, please share! Want more like it, subscribe!]