At the turn of the century, I was just getting into information security. When the twin towers fell, disaster recovery services were in high demand. The exposure to complex, mission-critical networks and hosting designs was a new challenge that I found stressful but exciting. Of all the lessons learned, one popped up recently when thinking about retailers trying to balance sales and security. The following is what this post is about.
I have seen too many business like say a shoe retailer or manufacturer whose focus is on selling or making things believe the latest technical gear purchased is the answer, it isn’t. Today where safety and availability are key concerns, building fortresses isn’t the answer. History has proven this. The biggest reason is time – give someone enough and they will figure out vulnerabilities.
So does it come down to hiring a security professional? Maybe. But what I want to address is an approach some can take towards securing their environment. It was Winn Shwartau who enlightened me to the values of time based security; a model built on three components of protection, detection and reaction.
Here focus shifts from stockpiling gear thinking you’re safe to determining the ‘time’ it takes for an attacker to break into a secure system. So, if the amount of protection time offered is greater than both the detection time and reaction time, your systems can be considered secure. This implies that the data received from and sent to the critical infrastructure is trusted – or as close to 100 percent as possible. Because if you can’t measure it, you can’t manage it.
Retailers haven’t needed to concern themselves with risk management like they do today. Integrated systems, customers and partners have changed that mindset. In order to continuously detect anomalous activity however, and be in a position to respond quickly, you need to estimate the security posture of an asset. From there creating processes that technology supports makes good sense because a fortress mentality, is not the way to go.
When the waters are still, your opponents have the time and space to plot actions that they will initiate and control. So stir the waters, force the fish to the surface get them to act before they are ready; steal the initiative. Once the water is stirred up, the little fish cannot help rise to the bate. The angrier they become the less control they have… finally, they’re caught in the whirlpool you have made and they drown. –The 48 Laws of Power by Robert Greene