Building Tanks
A couple of months ago, I attended the Nuclear Energy Institute’s Cyber Security Implementation Workshop in Baltimore. The keynote speaker was Brian Snow, who is a well-known security expert with substantial experience at the National Security Agency. Early in his talk, Snow highlighted the fact that security practitioners do not operate in a benign environment, where threats are static, but, rather must work to continually counter malice. A good analogy that Snow provided deals with transportation. When you need a vehicle for use in a benign environment, you use a car; when you need a vehicle for use in a malicious environment, you use a tank, which is purpose-built for such an environment. A security program needs to provide the defensive capabilities of a tank. However, few security practitioners have the luxury of building the program from scratch and, instead, must attempt to retrofit tank-level security into an IT environment that was designed to be less complex, less expensive, and simpler to maintain, much like a car is. Due to this fact, security practitioners tend to run into numerous roadblocks when adding layers of controls. While it may not be feasible to build a complete approach to information security from the ground up, it is important for IT management to recognize that a proactive strategy of incorporating defensive controls will lead to the most robust and effective information security program possible. Additionally, security practitioners may encounter resistance to applying particular controls. In this case, a risk-based approach is advised. Will forgoing this control leave the tank substantially weakened or is the additional protection afforded by the control something that can truly be done without? Ultimately, a team implementing a corporate security program likely has more obstacles to overcome than the builder of a tank due to the fact that there is far more room for different interpretations of risk in the boardroom than on the battlefield. Even so, it is important to put each and every decision about controls in context; as the reliance on information systems expands even further into industries such as healthcare, energy, and defense, lives truly may depend on it.
Explore More Blog Posts
Q1 2026 Critical Vulnerability Roundup: Mitigating Risk
Discover the top critical vulnerabilities of 2026 identified by Team NetSPI and learn how proactive security measures can protect your strategic business initiatives.
Anthropic’s Mythos Announcement: What it Means for Security Teams
Anthropic's Mythos accelerates automated vulnerability discovery. Read how to mitigate risk with custom benchmarks and human verification in your workflows.
Regulatory-Ready Security: Ensuring FCC Compliance for Routers
Last week, the FCC released a major update to the “Covered List”, officially adding foreign-produced consumer-grade routers to the registry of equipment deemed a threat to national security. This declaration was in part due to the discovery of backdoors in select routers that used standard apps in an attack chain to create a backdoor into seemingly protected networks.