Another week, another security breach at a name brand retail establishment. I heard about this latest one in the news, just like all the others. And then the letter came. From my bank. Telling me my credit / debit card had been hacked. They deactivated it and were going to send me a new one in seven to ten days. This is the third time in four years for me that an account of mine has been hacked. So I went for a jog and started thinking.
Let’s be clear, when I start thinking, things don’t always go well.
What I struggle with as it relates to security is that everyone is spending more and more time and more and more money, but not making any progress. The reports of major breaches seem to be coming more frequently, not less. Are businesses less secure than they were before despite the increased investment? Or are the hackers just smarter than ever?
Personally, I don’t think any of this is true. And this is where it gets weird. I believe there is a connection between the way businesses ought be thinking about security and raising kids.
You see, with kids, parents move from one strategy to another. If a set of young parents has a single child, they can play man-to-man defense. For those of you that don’t know, a man-to-man defense is an American football defensive scheme where you align each of your defensive players to a single offensive threat such as a wide receiver or a tight end. In the parental vernacular, while one parent cooks, the other can localize the damage the little angel can inflict to a single room, say the family room.
With two or more kids, parents have to move to a zone defense. In a zone defense, each defensive player is assigned an area on the field and as an offensive threat enters their area, they are responsible for covering the person. In this configuration, parents let the little hellions loose around the house and simply try to protect the china in the dining room.
From my perspective, businesses today believe they are in a man-to-man situation where they are trying to protect each and every little detail of their infrastructure. I think they would be more effective using a zone defense. So how would that work? Here’s a playbook.
1) What do you really need to protect? To be clear, you can’t walk away from perimeter defenses like next gen firewalls or encryption technologies. But face it, that’s the kind of stuff that organizations have been obsessing over and the breaches continue. So invest there but perhaps move what limited resources you have to focus somewhere else. But where? What are your businesses’ really important IT assets? What are the critical apps? Which data (structured, unstructured) must absolutely be protected? For sure, customer information, PHI, PII, stuff like that. But forward looking marketing plans? I don’t think so. Sure, there’s industrial espionage but does anyone really believe that a soft drink manufacturer is trying to steal the credit cards from a home improvement superstore? No, that’s not happening. The point is that not everything needs every bit of security focus.
2) Not if, but when? That’s right. Someone, somewhere is probably trying to breach your security scheme right now. If they are motivated enough and have enough money, they will probably succeed. Your best bet is to limit the exposure; mitigate the risk. How do you do that? Simple. Control access. Hackers are in constant pursuit of credentials, ideally with elevated or privileged access. If you own this upfront and tightly control what each and every credential has access to, you have solved 50% of the problem. Make sure there are no shared admin accounts. When an employee leaves, CUT THEM OFF. When they change jobs, change their access to match their new job and eliminate the access from their previous role. This is ZONE in the ZONE defense. Isolate access to only what the user / credential needs
I contend that taken together, this zone approach will offer more security to the most valuable assets given the resource and financial constraints we all face. Stated another way, this strategy can be summed up as “find the china, protect the china.”