There’s been a lot of debate lately on quantitative vs. qualitative risk, frameworks, models, metrics, certifications, standards, and all sorts of other organizational junk we seem to burden ourselves with. Oh, I’m no better, having authored a risk management framework, data security hierarchy, and similar tools in my past.
At times, I step back and realize we’re losing the big picture in this morass of acronyms and long documents with words like “Section 248, Subsection B, Paragraph A, Revision 42”. While I hate to knock my own industry off its pedestal, we sometimes forget that we are just the complex implementation of a very basic need.
Thus it’s time to dumbify security and kick it old skool. Here’s my n-step guide for the perfect, basic, security program:
- Figure out what’s important, and why: We often get wrapped up in pet projects, personal biases, or other distractions. When you look at your business, what’s really important, and what can you live without? Yes, I’m over-simplifying, but that’s the point of this post. I’ve seen n-degree complex risk analyses that still fail to capture what’s important. You’ll use those models later, but at some point just take a step back and really look at what could hurt you in a big way. That’s the most important stuff, and it deserves more attention than everything else.
- Decide if anyone stands to gain by stealing it or breaking it: Just because it’s important to you doesn’t mean it’s important to anyone else. In this step, just ignore the noise of the constant background threats (what my friend Richard Stiennon calls background radiation) and focus on directed threats- where someone has something financial to gain.
- Know how it’s protected: What security is in place?
- Figure out where the holes are: There are always holes; where are they? How hard are they to find and use? Back in physical security days we’d walk around the facility before an event, figure out all the ways in… including obscure ones like climbing buildings (those Dead Heads are seriously dedicated), and how hard they’d be to take advantage of.
- Block the holes, until it’s too expensive to block the holes: At this point you know your priorities, you know the threats, and you know the weaknesses. Now it’s just a matter of layering security until risk is reduced to an acceptable level.
That’s all we do. We figure out what’s important, what the risk is to it, and how to best reduce that risk. Every single one of you reading this knows that, but we still get so wrapped up in agendas, frameworks, internal politics, and compliance that we sometimes forget we’re just there to help the business take the greatest amount of risk it wants to take, in the safest way possible.
I don’t care what complex risk/security framework you’re using… stick to the basics. Know what’s important, have a rough idea of how much it’s worth to you, and drop in enough layers until you think it’s protected well enough. All those complex models should be tools to help you achieve the basics, not the other way around. We protect stuff, pure and simple.
Yes, you still need metrics and frameworks, but you can’t define security as just a bunch of metrics and checklists.
I also highly recommend a good 12 step program…
Reader interactions
3 Replies to “Security Isn’t Rocket Science”
Back when I was a paramedic I learned one of the most valuable life lessons I could possibly have imagined- we have a tendency to make out lives a lot more complicated than they need to be. I’‘m not talking about running off to live in a cave or anything, but we get emotionally and intellectually wrapped up in things that, when you take a step back, aren’‘t all that complicated.
I may have all sorts of toys, friends, family, work issues, home issues, and the rest of the normal complexities of life, but overall I live a pretty simple life.
It’s what we used to say in the infantry: “The best, well-thought-out plan executed with lackluster performance will always be beaten by the half-baked plan executed with violence of action”. Yes I paraphrased because some of the words are not fit for public consumption.
Your attackers execute simple plans. For the most part, they don’‘t have the manpower to do anything but.
Simple thing: security is no different from anything else—project management, business management, engineering, etc. We only think it’s different. Yes I have my techniques which seem really complicated but really they’‘re easy to do once you know how to do them, so I get a ton of traction out of it.
BTW, nobody likes a quitter. Just thought I would get that out there. =)
Amen to that. Before I got the end of the post, it was reminding me of that 12 step program, but simpler. It’s like the process people have to go through to get their loved ones to get into a 12 step program… How to organize an intervention?
But the beauty of our revered logic is often lost on the grown-ups when believers (usually living in the basement of the outhouse) try to explain it to them. I think there needs to be an element of emotional appeal somewhere that hits them where they live. Fear mongering often works, but it’s easy to identify and neutralize. In other words, we have to teach people how to be passionate about protecting their own interests in a rational way.