Let’s talk about mediaeval security. After all, it’s more interesting than cyber-security. We think of the middle ages in terms of castles and sieges, and that siege mentality has informed our view of safety ever since. We want a moat, tall and thick walls and, best of all, a heavy iron-reinforced oaken gate we can shut against our enemies. Then we can huddle behind the walls and wait for the investing army to go away.
It’s nonsense.
Not just as a metaphor for cyber-security, but as a way of protecting yourself against real-world aggression. Why? Two simple reasons:
While you’re besieged, your economy collapses – there’s no trade, there’s no-one working the fields, you’re eating your seed-stock and herds instead of husbanding them. Metaphorically this reminds us that if you completely lock down your cyber perimeter, you can’t actually get any work done. We need to communicate – to exchange data – in order to function.
It also suggests that the only threat is from the enemy at your gates. Meanwhile, inside the castle, the political manoeuvring continues, the spies and traitors do their work, and the common criminal takes advantage of the concentrated wealth and distracted population. Insider risk remains a greater threat than anything on the outside in the cyber-world, too. It doesn’t have to be malicious – more than one siege succeeded because the defenders simply forgot to close a gate.
But it’s much worse than that.
The metaphor itself is misleading. You don’t have a perimeter to defend any more, at least not in the mediaeval sense. Your network is not an island; you can’t dig a moat around your servers and keep everything on the inside – not if you want to compete in the 21st century.
Half your critical data is “outside” – somewhere in the cloud. Every inhabitant of your fortress leaves a gate open every minute of every day – when they use Google Maps to find that new client, use LinkedIn to research the client’s connections, check their friends’ activities on Facebook, Instagram a picture of their lunch while connected to your wifi.
You don’t even stay inside the fortress anyway – you and your staff work from home, from Starbucks, from hotels – your firewall spends more time letting them in than it does keeping anything out.
They work on your kit. They work on their kit. They work on borrowed kit. They use local applications. They use cloud-based business tools. They use personal apps. They sign in to your domain for some things; they use Google, or Facebook, or personal passwords for other things.
And this is good. It’s productive, it’s creative, it’s – to use my least-favourite IT word – disruptive of staid and pedestrian traditional business practice.
But it’s a security nightmare.
You need to think differently. Your security has to be pervasive, adaptive, inward- as well as outward-facing. You have to assume you will be compromised, and plan to mitigate that inevitability. You have to train your staff to defend themselves in this new guerrilla warfare. You need constantly to reassess risk, consider new threats and review your strategy for old ones. This is fluid 21st century urban warfare, not Game of Thrones.
A bigger picture 