Building Tanks

A couple of months ago, I attended the Nuclear Energy Institute’s Cyber Security Implementation Workshop in Baltimore.  The keynote speaker was Brian Snow, who is a well-known security expert with substantial experience at the National Security Agency.  Early in his talk, Snow highlighted the fact that security practitioners do not operate in a benign environment, where threats are static, but, rather must work to continually counter malice. A good analogy that Snow provided deals with transportation.  When you need a vehicle for use in a benign environment, you use a car; when you need a vehicle for use in a malicious environment, you use a tank, which is purpose-built for such an environment. A security program needs to provide the defensive capabilities of a tank.  However, few security practitioners have the luxury of building the program from scratch and, instead, must attempt to retrofit tank-level security into an IT environment that was designed to be less complex, less expensive, and simpler to maintain, much like a car is.  Due to this fact, security practitioners tend to run into numerous roadblocks when adding layers of controls.  While it may not be feasible to build a complete approach to information security from the ground up, it is important for IT management to recognize that a proactive strategy of incorporating defensive controls will lead to the most robust and effective information security program possible.  Additionally, security practitioners may encounter resistance to applying particular controls.  In this case, a risk-based approach is advised.  Will forgoing this control leave the tank substantially weakened or is the additional protection afforded by the control something that can truly be done without? Ultimately, a team implementing a corporate security program likely has more obstacles to overcome than the builder of a tank due to the fact that there is far more room for different interpretations of risk in the boardroom than on the battlefield.  Even so, it is important to put each and every decision about controls in context; as the reliance on information systems expands even further into industries such as healthcare, energy, and defense, lives truly may depend on it.