Building Tanks
A couple of months ago, I attended the Nuclear Energy Institute’s Cyber Security Implementation Workshop in Baltimore. The keynote speaker was Brian Snow, who is a well-known security expert with substantial experience at the National Security Agency. Early in his talk, Snow highlighted the fact that security practitioners do not operate in a benign environment, where threats are static, but, rather must work to continually counter malice. A good analogy that Snow provided deals with transportation. When you need a vehicle for use in a benign environment, you use a car; when you need a vehicle for use in a malicious environment, you use a tank, which is purpose-built for such an environment. A security program needs to provide the defensive capabilities of a tank. However, few security practitioners have the luxury of building the program from scratch and, instead, must attempt to retrofit tank-level security into an IT environment that was designed to be less complex, less expensive, and simpler to maintain, much like a car is. Due to this fact, security practitioners tend to run into numerous roadblocks when adding layers of controls. While it may not be feasible to build a complete approach to information security from the ground up, it is important for IT management to recognize that a proactive strategy of incorporating defensive controls will lead to the most robust and effective information security program possible. Additionally, security practitioners may encounter resistance to applying particular controls. In this case, a risk-based approach is advised. Will forgoing this control leave the tank substantially weakened or is the additional protection afforded by the control something that can truly be done without? Ultimately, a team implementing a corporate security program likely has more obstacles to overcome than the builder of a tank due to the fact that there is far more room for different interpretations of risk in the boardroom than on the battlefield. Even so, it is important to put each and every decision about controls in context; as the reliance on information systems expands even further into industries such as healthcare, energy, and defense, lives truly may depend on it.
Explore More Blog Posts
Pipe Dreams: Remote Code Execution via Quest Desktop Authority Named Pipe
Discover the risks of the CVE-2025-67813 vulnerability in Quest Desktop Authority. Learn how this RCE flaw impacts your organization and how to mitigate it.
Ivanti Endpoint Manager Mobile (EPMM) [CVE-2026-1281 & CVE-2026-1340]: Overview & Takeaways
Ivanti has disclosed two critical zero‑day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE‑2026‑1281 and CVE‑2026‑1340. Both vulnerabilities have been exploited in active attacks and allow unauthenticated remote threat actors to compromise EPMM appliances.
Why Your Security Program Needs Domain Monitoring
NetSPI Domain Monitoring continuously discovers and assesses look-alike domains related to your organization, providing deep contextual intelligence including risk profiles, WHOIS records, IP details, DNS records, and certificate data. The NetSPI Platform streamlines response, enabling rapid action against high-risk domains.