Thanks to some bad timing on the part of our new daughter, I managed to miss the window to refresh my EMT certification and earned the privilege of spending two weekends in a refresher class. The class isn’t bad, but I’ve been riding this horse for nearly 20 years (and have the attention span of a garden gnome), so it’s more than a little boring.
On the upside, it’s bringing back all sorts of fun memories from my days as a field paramedic. One of my favorite humorous/true anecdotes is the “Rules of Emergency Medicine”. I’ve decided to translate them into security speak:
- All patients die… eventually. Security equivalent: You will be hacked… eventually. It sucks when you kill^H^H^H^Hfail to save a patient, but all you’re ever doing is delaying the inevitable. In the security world, you’ll get breached someday. Maybe not at this job, but it’s going to happen. Get over it, and make sure you also focus on what you need to do after you’re breached. React faster and better.
- All bleeding stops… eventually. Security equivalent: If you don’t fix the problem, it will fix itself. You can play all the games you want, and sponsor all the pet projects you want, but if you don’t focus on the real threats they’ll take care of your problems for you. Take vulnerability scanning – if it isn’t in your budget, don’t worry about it. I’m sure someone on the Internet will take care of it for you. This one also applies to management – if they want to ignore data breaches, web app security, or whatever… eventually it will take care of itself.
- If you drop the baby, pick it up. Security equivalent: If you screw up, move on. None of us are perfect and we all screw up on a regular basis. When something bad happens, rather than freaking out, it’s best to move on to the next task. Fix the mistake, and carry on. The key of this parable is to fix the problem rather than all the other hand wringing/blame-pushing we tend to do when we make mistakes.
I think I’m inspired to write a new presentation – “The Firefighter’s Guide to Data Security”.
Reader interactions
6 Replies to “The Laws of Emergency Medicine—Security Style”
Truisms are truisms for the reason of being true.
Just cause something is a truism doesn’t mean that everyone knows it, understands it or applies it.
Take Rich’s ABCs post awhile back… more truisms. Or for that matter, most of the “good” security posts around are either truisms or based on truisms.
You mother probably did the same thing mine did… reminded me (usually uselessly) to wear my jacket, do up my shoes, look both ways before crossing. I knew these things… she knew I knew them, but she still said them. It was ‘necessary’.
Here’s another truism: Common sense is not common.
The reason blogs like this are good is that even us [devious, maniacal BOFH] security guys still need these things said.
It is ‘necessary’.
As for the suggested vacation… lol… Rich will be able to benefit from one in about 20 years, till then he will just have to make to with periods of not being “at work”.
Allen,
I need both.
Good point- I tend to think as the responder, not the victim. It’s closer to the fire service where there is a bigger emphasis on prevention. Same thing in mountain rescue- we’d do a TON of outreach to the climbing community, including free avalanche seminars and beacon practice courses.
Will,
I really like the gardening analogy on multiple levels. It never ends, what you grow and what you manage are constantly changing, the different layers of controls.
But I’m a crappy gardener, and a reasonable good EMT 🙂
Rich,
I think you need a holiday (ask your boss)
Your last podcast, as well as some of your recent blog posts have been very negative recently.
Maybe you just need more sleep. 🙂
On this post:
I think that the trick to successfully getting through emergency medical care is not to need it in the first place. Once you are bleeding, its a bit late.
Taking your analogy further – we have rules of the road, safety built into our cars, etc etc
If you choose not to use your seat belt and have worn tyres and drive fast then your chance of an accident is high. Layered security will not work for you. When it all falls down.. you need to have good response and a ton of luck.
Security is a process, pure and simple. However, in our technology-focused big PLAYERs/BIG PAYERs paid advertising/media/analyst-hyped world, we’ve all been lead to believe hardware is our salvation. Pfffftttt! In reality, it’s a wildly futile security arms race where the only people who win are those who are pitching or sitting on the sidelines watching and hacking away. Threats are not all that complex. They just happen to occur where people AREN’T looking. And they’re not that complicated either.
I do like the EMT analogy but I like the gardening analogy better. Despite all the security measures: fencing, insecticides and diligence one is never quite finished with the gardening process. Sure, fences keep out the big critters but, invariably, the small ones find there way in. Weeds. Pull a weed and another will pop up to replace it. Diligence, persistence and patience. In time, one can eek out a win along with some delicious veggies and berries despite the obstacles! The fruit is the goal!
With security what’s the goal? Security unto itself is only a feature of a well-run operation. I’ve invested in all the IT security armaments only to see them fail. Why? Over-dependence on technology and forsaking the management process. I now pass along my experiences to those enamored with all the security doodads: you can run and you may hide but pests will persist and your work will never be done. But if your goal is something beyond simply being secure, which should be the case anyhow, your reward is waiting for you. And it’s always there while threats are transiently ever-present whatever you try to do.
Why restrict such Pragmatic mojo to just data security? These are universal truisms, not just for security but pretty much every discipline. You will get pwned. You will screw up. You need to contain the damage, remediate the issue, and make sure it doesn’t happen again. Then you move on. Maybe to your next job.