By Craig Burland, CISO, Inversion6
In the dynamic and unpredictable realm of cybersecurity, striving for perfect solutions can be a futile and counterproductive pursuit. There are too many threats to address. Too many battles to be fought. Too many risks to mitigate. The defender community needs to adopt a more practical, innovative, and scalable approach to security by choosing iteration over perfection. The wisdom of the philosopher Voltaire, “don’t let perfect be the enemy of good,” is pivotal in this regard, emphasizing the importance of achievability. There is good reason the movement “Secure by Design” isn’t called “Perfectly Secure by Design”.
Going Medieval
In building our cyber capabilities, we can look to the development of medieval fortifications as a compelling analogy. Early defenses were primarily designed to counteract localized raids and small-scale warfare. These wooden fortifications provided quick, cost-effective protection against attackers lacking advanced siege equipment. However as offensive threats evolved, so did the must-have features of the fortifications. Stone replaced wood. Wider moats, taller towers, and arrow slits were added to resist more capable attackers. This continuous process of innovation, adaptation, and improvement is a blueprint for the iterative approach necessary to do business securely in the 21st century.
Embracing Iterative Security
Think of the hapless feudal lord who pitched building a massive stone structure to their king in response to spear-wielding, local bandits. “Milord, for a mere 50,000 sovereigns, we will be safe from these brigands in a mere 10-years’ time!” Not only did their funding request likely get denied, but their town also likely got sacked while getting estimates from the stone masons.
Iterative security is about continually adapting security measures in response to the current landscape of threats and vulnerabilities while evaluating emerging threats. This approach acknowledges that cybersecurity is a journey, not a destination. It acknowledges the uncertainty of likelihood and impact in risk calculations and factors that into prevention and detection strategies. Not every threat warrants a best-in-class platform and top-flight resources in response. Sometimes, open-source tools running on the intern’s laptop is good enough.
Benefits of Iterative Security
- Speed: Iterative security allows organizations to respond swiftly to emerging risks. A complete fortification of wooden walls is far better than a half-finished wall of stone. In cybersecurity, it’s common that the best response to a new threat is visibility. This can be done quickly and easily, answering questions like, “How big is the problem?” and “What is our exposure?”
- Focus: This approach allows organizations to prioritize and address the most critical risks first, much like how the most vulnerable parts of a castle were reinforced first. Lesser threats can remain in “visibility-only mode” until the threat level warrants further investment.
- Innovative: Iterative security fosters an environment where innovation thrives. New attacks spawn new ideas and new solutions. Just as medieval castles evolved over time to incorporate architectural and defensive enhancements, our cybersecurity defenses become stronger and more resilient as the threat level rises.
Implementing Iterative Security
- Adopt Agile Development Practices: Agile development is built on constant improvement and prioritization based on the demands of the customers, market, or competition. Cybersecurity can follow the same path, delivering incremental improvements quickly and efficiently.
- Perform Regular Security Assessments: Periodic reviews ensure threats are understood and vulnerabilities are identified much like routine inspections and upgrades of a fortress. Iterative Security doesn’t mean waiting to get compromised before innovating.
- Foster Security Awareness: Educating the organization about security practices helps identify potential threats and, in turn, trigger analysis and response. “Milord, you know that we use the back stairs and that unlocked door in the wall to fetch your ale, right?”
Conclusion
Like those ancient defenders, we must face external threats quickly and efficiently. Not every barbarian sighting warranted building 40-foot stone walls and conscripting all the villagers. Not every script kiddie warrants a cutting edge, million-dollar platform. Cybersecurity is a highly dynamic and rapidly evolving space. Our cybersecurity strategies should be the same. As CISOs, our goal is to create systems capable of mitigating threats and responding to new challenges without hamstringing the business. Chasing perfect security and zero risk is both costly and unattainable. The iterative approach to cybersecurity offers a pragmatic and effective strategy for protecting modern organizations. It not only ensures a strong current-state posture, but it also supports the agility and innovation essential for businesses to thrive in today’s digital world. In simple terms, don’t build an impressive stone tower when a simple wooden fence will do.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Global Security, and Oracle Web Center. Craig can be reached online at LinkedIn and at our company website http://www.inversion6.com.