What my toddler taught me about information security
My new role has caused me to look at information security in a different way. It’s always been a hobby for me but I enjoy the challenge of making it my focus each day.
Many companies seem to make a natural progression in security as they grow larger, bring on larger accounts, or find themselves subject to regulation or compliance requirements. That gradual process is usually more straightforward than the reactive process brought on by a security breach and it ends up delivering better overall results for the company.
This reactive process seems oddly similar to the way my son has learned to eat. Confused? Keep reading.
Entirely oblivious
This is how my son first got started. He was so busy trying to figure out how to eat that he had no idea how much of a mess he was making. Eventually, someone would either step in all of the dropped food or spilled juice and it would be all over the kitchen.
If you replace the food and juice with information at a small company, you can see how the same would apply. Many startups and small businesses are focused so heavily on building a product or brand that they forget about the importance of securing the data they are generating and collecting. Everything from trade secrets to sensitive customer data is at risk of being lost. Basic security measures are taken and there’s usually no way to know if a breach has occurred and how deep the breach has gone.
Purely reactionary
Eventually my son realized that making a mess wasn’t a good thing and he started to react whenever he ended up with a lap full of spaghetti. He would notice the problem and cry for someone else to come and help. I’d clean him up and he was back to normal again. The food would end up in his lap again, he would cry, and I’d be back to clean it up.
Companies find themselves in this situation when they’ve been hit with a breach previously and a new issue has appeared. Their security stance has only changed a little and they’re able to determine that something has happened after it has happened. Companies in this stage may consider creating a team focused on security issues or they may look to outside contractors or consultants for help. Much of the focus now shifts to answering “how do we prevent this from happening again?”
Partially proactive
As my son became more skillful at working with a fork and a spoon, he was able to be more focused on eating and he made fewer messes. They may have occurred less frequently but when they did occur, his clothes still needed to be washed and he was still quite upset. He knew what to watch out for and he knew which foods were going to present a particular challenge. It was obvious that he was putting in much more effort to eat spaghetti than he would with something simple like crackers.
This stage in a company’s development usually involves a dedicated or semi-dedicated security team that is beginning to understand the threats and risks involved with the company’s operation. They’re putting focus in certain higher-risk areas but there’s still not a lot of proactive work being done to limit the damage from security breaches. For example, a company might institute stricter firewall rules and OS patching for their most important servers but they might not have any security within their internal network. This would allow an attacker free reign over the environment if they can take over one of the servers.
Passionately proactive
When my son eats, he does quite a few things to ensure success. First off, he sits down and asks for his chair to be pushed in before he eats. He wants a paper towel close by in case something bad happens. With certain foods, he knows the chance of making a mess is higher and he tries to put less of it on his fork. He’s determined to not let food get in his lap, and when it does, he wants to ensure that his clothes stay as clean as possible.
Companies that reach this stage have now realized the risks involved in the operation of their business and they’ve determined how to reduce the impact of a breach. They’re consciously aware that they’re a target and they are taking an offensive security stance. These companies often test their own security measures to make sure that they’re effective against the most frequently seen threats. Their security posture isn’t perfect, but they are able to react more efficiently (and with less chaos) when a serious issue presents itself.
So let’s summarize…
Some readers may think this post is way too generalized. However, the generalization is the point I’m trying to make. Creating a security mindset within a company is generally the easy part; applying it is where things get tough. The concept of information security is actually quite simple: ensure that information is readily available to people who should be able to access it and ensure it’s not available for people who shouldn’t. If you’re starting a small business or you’re working for one right now, build your products and your infrastructure with security in mind. Your other option is to retrofit it later, but you’ll surely make a mess.