Last month Lucas Glover won the 2009 US Open Golf Championship. Although a remarkable victory, my attention was fixed on Tiger Woods. As the Beth Page rains piqued his swing I couldn't help but recall his thrilling victory at Torrey Pines (location of the 2008 US Open). The images of him in physical pain, struggling, and playing the entire 5 rounds on less than two knees, battling Rocco Mediate for the championship was the stuff of legends. Shortly after that mesmerizing performance, however, Tiger Woods announced his plans to undergo knee surgery, and the end to his 2008 season. What (you may ask) does this have to do with digital security? Quite simply this -- digital security is akin to reconstructive knee surgery. The importance and effects of knee surgery to Tiger's career is not dissimilar to the challenges faced by a frequently overstressed and overworked IT director who is expected to efficiently, effectively and economically deliver a secure system.
In golf the front knee is the pivotal body part responsible for balance and weight-shift during the swing. The slightest glitch (consider a torn ACL) can upset the very delicate balance between rhythm, swing speed, swing path, club length, grip tightness, weight distribution and torso twist. Without a strong knee a golfer is hopeless; without a Blackberry-, Exchange- or web-server most organizations would be similarly "knee-less" and without their "swing".
For a serious golfer, let alone Tiger Woods, the excruciating physical pain caused by playing on a torn ACL is surpassed only by the mental frustration experienced during an extended rehabilitation period. Not only does the golfer have to contemplate potential unsuccessful results of the reconstructive knee surgery during the rehabilitation period, but he also has to fight daily doubts that attempt to erode his confidence.
Here is where the analogy to digital security takes hold. Remediating digital vulnerabilities require both surgery and rehab time. Implementing security solutions is vital, but pointless without the subsequent culture change required to follow new policies and procedures. But, herein lies another challenge ? performing these changes with acceptable levels of ROI and manager buy-in. Many IT directors and C-level decision makers have had poor experiences with security products and services. "Quick-fixes" and reactive implementation of security protocols have left many disenchanted with the effectiveness of security solutions. There's a pervading sense that product-specific promises were woefully overstated and largely unfulfilled. Regardless, the pinch in their organization's "front knee" reminds them serious problems loom on the horizon and, inevitably, time for digital surgery and rehab will be required.
Where should a security program and policy start and end? How far should one go when considering legal, regulatory and contractual obligations? What about liability? What about confidence in one's information system's operational longevity? What about peace of mind? The answer is simple. Consider, again, Tiger Wood's reconstructive knee surgery.
To perform his surgery Tiger did NOT do several things. Firstly, he did not approach his general practitioner for advice on his knee surgery. Secondly, he did not provide his GP with a DIY book or medical journal articles on how to perform reconstructive ACL knee surgery and expect him to perform this surgery. Thirdly, he did not pay to educate a surgeon to become proficient in knee surgery and to then perform his knee surgery. Instead Tiger went to the best ACL reconstruction knee surgeon he could find. He went to a specialist to restore the functionality of the most important part of his operating machine. Further, he was willing to take the time to heal it properly, to go through the rehabilitation process in a disciplined and thorough manner thereby ensuring longevity and future success.
Security is no different! In essence, it is reconstructive knee surgery. Understanding vulnerabilities and implementing effective security measures requires skill and expert knowledge, not a review of off-the-shelf books with flow-by-flow diagrams. Digital security is knee surgery!!
The industry is riddled with products, including hardware and software and services, all claiming to make any trained (or "certified") user a security technician. However, these require time and money to implement correctly and to manage efficiently, and expert knowledge to use proactively. Some succumb to the temptation that purchasing gadgets and certifications will make them more secure, thus validating their assumption that money spent is a dependable metric of digital security. Frequently, these are later discarded for a loss of both time and money.
I have seen the temptation of a "security quick-fix" or the desire to "go it alone" commandeer an IT department's decision making process. Inevitably, these (like Tiger's arthroscopic surgeries) are incapable of quelling the pain. Instead, when an organization takes an "ACL knee surgery" approach, relying on expert advice and services, and implement recommendations in a disciplined and thorough manner, they experience greater and longer lasting success. Additional benefits are also realized. The rehabilitation period is usually shorter than projected, leading to increased productivity and confidence in IT operations. Also, subsequent policy and procedure changes are less time consuming and resource dependent, adding value to the organization. Lastly, IT infrastructure changes are usually more efficiently planned and more securely executed as a result of a disciplined approach.
If past is prologue, companies who are committed to digital security will be surprised by how quickly and successfully they find their swing, even in this rapidly changing digital world and regardless of the ever-present storms of risk that pour drenching rain all around.
Jurgen Van Staden, JD CNSS
Senior Risk Analyst