Building a House as a Security Metaphor

I figured I’d step away from my Cybersecurity Architecture series and CISO’s View series and share my experience in speaking to folks about cyber security. Ideally, you should have a quick 20-second elevator pitch ready that explains the value a security program delivers to the business without using a security terminology. Using a security metaphor that can relate to something they know in order to explain security concepts is what I leverage. The goal isn’t to explain what security is, but why it should matter to them. If you can’t give the pitch to a five-year-old without them looking confused, refine until you can. If you’re lucky, this will spark interest in the topic and you can move into a deeper conversation.

Aim for Robust Versus Secure

Sometimes it seems like I only talk to two types of folks, those who think security gets in the way of delivering a great product, and those who think that we should deliver secure products whatever the cost. I was at a Chemistry Club event as a case in point where I – as the security guy – was the one debating against aiming for perfect security as the cost was too great. I started out by saying we shouldn’t aim to design perfect security, but aim for robust applications instead. Imagine a medical data sharing system that was designed and achieved the impossible dream of perfect security. This system wouldn’t allow the sharing of certain types of data or sharing patterns that weren’t perfectly secure. Sounds great right? Well…

Life is full of unintended consequences.  To find them we need to step back and see the larger picture. In our medical example above, the larger picture isn’t the medical application. It’s the health care provider making life and death medical decisions for their patients. By limiting the sharing of sensitive information in less than perfectly secure ways, we’ve withheld information that would allow those health care providers to make better, more informed decisions on treatments. Over time, our perfectly secure application would have the unintended consequence of costing lives. This is why, as the security guy, I aim for robust applications versus perfect security.

Find the Balance Point Between Security and Usability.

I like to use the metaphor of building a house for what I mean by robust versus perfect security.  If we aimed for a perfectly secure house, it probably looks like some underground bomb shelter made of reinforced concrete with no windows or doors. It would be secure – but unlivable. People choose things like usability, aesthetic experience, and the like over security every single time – as it should be. We build our houses out of less secure materials, with big insecure windows looking out on beautiful vistas, and wide welcoming doors that expose the houses to all sorts of threats like salespeople, junk mail, and trick-or-treaters.

So we’ve designed our houses with built-in security weaknesses with the larger picture in mind – the need for a livable space for our families. Let me repeat, we realized that security at all cost would preclude the larger goal of a livable space. So, the real goal is to strike the right balance between security and usability. We find that balance point by focusing on being robust instead of secure.

Robust Addresses Detection, Prevention, and Response

So what do I mean by robust?  We begin by accepting that our house can – potentially – be broken into and instead focus on how can we minimize the loss in the event it happens. We begin by layering on preventative measures like locks on the doors and windows, building relationships with our neighbors through neighborhood watches, lit roads, police patrols, etc. We consider detective and response measures like alarm systems, etc. We remain vigilant for people in our home who shouldn’t be there and respond appropriately. Then we take a moment and consider the assets that we truly want to protect and isolate them into a home safe or take another measure. We address uncertainty through insurance policies. Taken together, these measures ensure that our house is robust. We acknowledge bad things can happen, and take steps to ensure that we’re prepared for when they do so as to limit the harm done.

This is what I mean by a robust security program. We want our companies to be robust. Agile enough to take the necessary risks to compete in the marketplace, and focused on the larger picture of delivering the value our customers want. At the same time, we’re prepared to detect and respond in a manner that minimizes the loss. This is why I help companies with a pragmatic security architecture while focusing on ensuring that they have a robust operational security program that can detect and respond fast enough to minimize loss.

This is also why I avoid being pulled into the prevention versus detection debate. A robust business finds the right balance point between detection, prevention, and response. The debate may help drive some vendors sales agenda; however, I view the argument as arguing what’s more important on a car: wheels or engine?  Silly, right?

Give Me Integrated Platforms, Not Magic Beans

This is why I evangelize the creation of an integrated security platform like Apache Metron versus attempting to maintain 20-30 isolated point security products.  We need a platform that we integrate into our line of business applications and other enterprise systems that enable detection, prevention, and response. We need a platform designed to work in the modern connected world where our applications are distributed globally instead of some black box appliance full of magic beans gathering dust in our legacy data center.