Get a gun or get some running shoes – Time to get security fit
When incidents of cyber security are reported analogies are often made with warfare. But is it an accurate metaphor? Some refer to good versus evil – but what about honest mistakes that leave organisations exposed? In true warfare battles are won and lost so, if we really are facing a ‘cyber war’, it would stand to reason that one day either good or evil will win.
The truth is, in cyber security, there are no winners (although there are certainly losers) and there certainly is ‘no end’. Instead, a more accurate mental model for cyber security is needed.
Model of fitness
Fitness, especially when framed in a game dynamic, is a better model for information security as:
- Information security experts are realists and, therefore, don’t expect to ‘win’. Instead, they’re actively seeking to become progressively more resilient in a hostile environment.
- When experts create a fitness programme for a particular sport, the programme is never ‘finished’ because in fitness there is always room for improvement. The same is true for cyber security.
- Good fitness programmes are in a constant state of adaptation to the capabilities of the individual, the team, the competition, and the new developments in technique and technology.
Get your head in the game
The idea of team and individual ‘fitness’ is a useful way to frame IT security tactics so the concepts can be readily accessible to anyone, regardless of technology expertise.
For example, in a football team, you will have some players whose skills are in defence and those who are best played up front in a striking role. Everyone on the pitch needs to understand the rules and their role in the team or the result is chaos. The same is true for your organisation. While the sales team doesn’t need to have the same security skills as the IT security team, everyone in the organisation does need to have good basic security skills and hygiene if they’re to play their part.
Sticking with the football analogy, for each match the team will study their opponents and employ different tactics that they believe will give them an edge. A team that needs to improve future performance begins with ‘coaches’ who evaluate game performance for clues to the specific skills they need to build to become more competitive.
In an organisation, this ‘cyber security coach’ should begin by asking, ‘what are the five worst security events that could happen to the company?’ Could source code be stolen, what about a denial-of-service attack that brings the data centre to its knees, is the customer account data safe or is it at risk of compromise, what about competitive information being stolen and disclosed on the Internet?
Once identified, planning how to tackle each of these scenarios needs to be explored – and must involve executives from every department. The results of these planning sessions will make security programs more specific and form the bones of a ‘game plan’ that describes how the entire company responds to a specific kind of attack.
Practice makes perfect
Once the game plan has been fleshed out, it’s time to practice. Take the most catastrophic cyber security scenario and test the game plan – either as a ‘table top’ exercise, use an outside expert to simulate the scenario, or combine elements of both approaches.
Using the results, such as what worked well and, more importantly, what needs to improved, will help refine the game plan. Then repeat the exercise until this particular game plan is as good as it can be.
Regular practice, in fitness and cyber security, results in dramatic performance improvements, and the entire organisation will develop competitive ‘muscle memory’ that will make it more competitive against difficult adversaries.
Cyber security excellence has to become integral to the core business in the same way fitness has to be part of everyday life. Every player at the top of their game – be it football, tennis or even darts – will advocate that you can’t kick your opponents unless you are disciplined enough to do the work.
Fitness works as a metaphor for cyber security because almost everyone in society has a personal understanding of health and fitness principles and how these principles affect their day-to-day actions. Let’s stop all these war games and get fit – for security’s sake.
Tim (TK) Keanini
Chief research officer