Being an InfoSec Professional / Cybersecurity

The internet is not a highway, but security is like driving a car

I think it is safe to say that the internet is not an information superhighway anymore.  Maybe it was once, but now the interstates are threatening to become toll roads, the blue highways have sponsors and so many things are on the internet that if you do make a wrong turn you could literally end up pinging some guy’s toaster.

No, the internet is not a superhighway: it is endless roads many of which twist and turn and dead-end.  And even that description does not do “the net” justice.  

But while automotive metaphors don’t do much to describe the network, they can still be useful.

When an executive asks you, the security professional, “Are we doing all we can to be safe?” and when you’ve first been silent for a bit to drive home the point that you really do reevaluate that question almost incessantly then you should mention cars.

Here’s what you should try saying:

Being connected to the network is safe like driving a car is safe.  You can crash because of something you do or don’t do, because of something someone else does or doesn’t do, or because of faulty equipment.

When you ask “Are we doing all we can to be safe?” then I need you to consider if you’ve ever driven on tires that needed replacing or gone over the recommended miles between oil changes?

Do you trust that everyone on the road is as careful a driver as you are?  Do you lock your screen as religiously as you lock your car? 

Do you have a remote for unlocking and even starting your car?  If I told you that thousands of criminals were trying to figure out how to imitate that remote all the time, would you feel that your car was safe?

You know driving a car means assuming some level of risk.  You know you can be a perfect driver in a flawlessly maintained vehicle and still get sideswiped, rear-ended, caught up in a pile-up or have your car stolen.

And recalls.  Do you know sometimes flaws are found in cars and they get recalled to have them corrected?  If that sounds like what happens when a vulnerability that has been around for years is discovered on a computer, that’s because it is.  Cars, like operating systems, are really complex and they can be manufactured with undiscovered defects.

So if you ask me are we doing all we can to be safe, I am prepared to always say “no” and suggest something further we could do.  But if you want to know what I think of our current security, then ask me if I am comfortable taking the car out of the garage.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s