Written by Dave Stelzl CISSP

The Big Security Mistake Everyone Is Making

We’re in the height of Cyber Monday – How Secure Is Your Data?

There’s One Big Mistake Almost Every Company Is Making – Do your clients know what it is?

If you’ve read my book, The House & the Cloud, you know what it is. This one concept alone has earned me more assessments than I can count. In fact, I just heard that my last lunch & learn meeting had nearly a 100% sign up – the average over the past 12 months is over 95%! How is this possible?

This Thursday I’ll be speaking on these things out in the Bay area – an educational session on what to expect over the next 12 months as people move more into cloud technology, BYOD, and other transformational technologies. Thanks to Solid Networks and Cisco Systems for sponsoring this event!

Have you ever considered how security actually works?

I mean, what makes something secure or not? Since data is so intangible, let’s look at a physical security example. Consider your house. You probably feel pretty safe in your house. If you didn’t you would be up all night keeping watch. Hopefully you’re not doing that.Blog Subscribe Ad

How is your house protected? All houses have doors. You probably lock yours at night and when you’re away, to keep neighbors and squatters out. You also have windows with locks, and might even have a safe inside to store valuables. Perhaps you have a dog, personal firearm, or an alarm just in case someone breaks in. If you were to make a list it might look like this:

Doors Alarm Firearm
Windows Motion Detection Dog
Lock Monitoring Police
Fence Neighbor Watch Insurance

It’s a simple list of 12 things that most of us look to for safety. But the fact is, these things are not what protects us. If I’m right, then what is it that actually makes your home safe? It’s actually a system at work behind the scenes. A system that sits behind every valid security model. It uses these components, but without the system, these components actually do very little to protect you.

Take your door for instance. Is there any doubt that a determined perpetrator could break through your front door? Your door probably has glass windows on the sides, and surely you’ve seen on TV how easy it is to kick in a door. So what is this system I am talking about?

It’s a system with three distinct stages: Protect, Detection, and Response. These headings sit on top of the three columns in the diagram above. The first column provides some level of proactive PROTECTION to keep people out. As I’ve pointed out, it will fail under the pressure of a determined attacker. At that point DETECTION takes over. An alarm sounds or you hear someone breaking in. If your system is built correctly, the DETECTION stage will kick off some form of response plan. That could be a dog trained to protect it’s owner, a home owner equipped to defend his castle, or law enforcement agents responding to a break-in. The key here is timed stages that predictably trigger the next, before it’s too late. If your alarm sounds and it takes the police 20 minutes to arrive, your plan might not be very effective.

Looking back at the three-stage model, all three columns are essential. Each stage must work with timed precision. However, one of these columns is more important than the other two. Can you guess which one it is?

In live training sessions I do for business owners I often take a pole. Is it column three, two, or one. As I go though them I ask for a raise of hands. Maybe 20% of my attendees will choose column three. 10% might choose column two. The rest will go with column one. But the answer is column two – DETECTION. Why?

Consider the physical security around you. Look at your bank. Is the vault open in the daytime? It is! All day. Anyone can walk into a bank. So what keeps your money safe? It’s the bank’s ability to detect a perpetrator before they can get to the money and get away. At night the bank is locked up, but most physical bank robberies take place during the day. Why are they avoiding nighttime? It’s because they know, and the bank knows, that the safe can be compromised with tools and a torch. But they also know how long it takes to crack a safe and how long it will take the police to respond once the alarm sounds. It’s all timed and it works most of the time. The day is less predictable, and so if everything goes well for the crook, chances are better that they’ll get away.

So what is the one big mistake just about every company has made with their data security strategy? It’s the system above. Most information security programs are built on proactive PROTECTION. They rely on firewalls, passwords, and encryption. That’s what we’ve been taught to do by security product manufacturers. Only in the past few years has the story changed.

If you want your data to be safe, your security model has to change. You will have to move from a proactive protection model to one like I have pictured above. One where DETECTION is the primary focus and a well timed response plan follows. Once in place, the question will no longer be, “Can they get in?” They can. The new question is, “How long will it take for us to detect and respond? And is that fast enough?”

© 2014, David Stelzl

P.S. For those waiting for the House & the Cloud Second Edition, we are done editing and just getting ready to send this off to the publisher!

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s