Once upon a time there were three little Infosec guys. They used to sit down and huff and puff about how they would build their most secure infosec houses. Even the most nefarious of wolves would not be able to penetrate their empires.
One day, at the end of a rainbow they found a magic CISO with a a bottomless budget and their dreams could finally come true. One Infosec guy built a house of straw while the second Infosec guy built his house with sticks. They built their houses very quickly and then sang and danced all day because they were secure. The third little Infosec guy worked hard all day and built his house with bricks.
A big bad wolf saw the two little Infosec guys while they danced and played and thought, “What juicy tender meals they will make!” He chased the two Infosec guys and they ran and hid in their houses. The big bad wolf went to the first house and huffed and puffed and blew the house down in minutes. The frightened little Infosec guy ran to the second Infosec guy’s house that was made of sticks. The big bad wolf now came to this house and huffed and puffed and blew the house down in hardly any time. Now, the two little Infosec guys were terrified and ran to the third Infosec guy’s house that was made of bricks.
The big bad wolf tried to huff and puff and blow the house down, but he could not. He pretended to keep blowing whilst he went around the back of the house and entered through the porch window. Once inside he had field day, slaughtering the poor little Infosec guys and feasting on the inability to always prevent the big bad wolf.
Now this fairytale might be grim enough to be worthy of the brothers Grimm, but it is a harsh reality. The resources we have in defence are never going to match those available to the determined offensive actor. We are always going to have to compromise and “be as secure as we can be”, but ‘can’ is difficult to measure. We calculate ‘can’ with risk assessments, risk appetite and business maturity.
It is perfectly reasonable to decide that as a business you only need or want an Infosec house made from sticks. This isn’t due to an exceptional risk appetite, but more likely due to a small digital footprint, a low maturity and a miniscule business risk. It can be often far cheaper to rebuild a business from scratch – especially if it is cheap and has no reputation to lose. This is the advantage of ‘digital startups’, they have little to lose and happily live in houses made of straw.
To regulate or not ?
If regulation dictates that they only have to build from sticks and they can afford to build from granite, then you need to look at the capability of the business and how mature they are. Don’t suggest things that are beyond their reach or capability. If they don’t know how to build something out of stone, then it will never get built and they won’t be able to maintain it after you’ve gone. As the Infosec (building) contractor it might be exciting to use a ‘Best Practice’ material, but we must consider the whole picture. Putting in granite walls and forgetting both the windows and locks will be worse than straw.
One last thing. Don’t forget to make sure the big bad wolf is on the outside before you start building, as otherwise you aren’t building a house – you’re building an abattoir!
Security Basics, a good foundation
In the UK, there are now Police forces that will not attend a crime if the victim...