Generally speaking, security is all about threats and their mitigation. So the textbook approach is to sit down, enumerate the possible threats, write them all down and eliminate one by one.
You don't need me to tell you the ways it goes wrong.
One problem is this process is wrapped in bureaucracy, is driven by numbers and often reduced to boilerplate. Of course there must be strong passwords. Of course there must be permissions. Of course you should use SSL for transport. Of course you should not open e-mails.
By the way, here is a convenient AI-automated solution that will print you an industry standard 120 page security plan. Shareholders happy, auditors happy, good job, well done. There is very little incentive to think outside the box and stay alert, after the plan has been approved and everybody's happy.
But as you know, reality does not work like that.
Instead, the way I think about security is as if I was part of a task force landing on an alien planet. It is dangerous. It is deadly. It is full of viruses, none of which were seen before. Your equipment may be inadequate and will fail at the worst possible moment.
So what do you do all alone and vulnerable in a foreign environment which is hellbent on killing you ?
First, you set the rules and never break them. There must be a handful of basic principles, from which you don't deviate. No exceptions.
Second, you use everything you have. The measures that you take must back each other up, and be applied meticulously and in order. No shortcuts, no workarounds.
Third, you keep tightening the bolts. Look at everything as if it was about to break, the question only being when and how. Fix everything immediately, don't rest assured.
Finally, and most importantly, you plan not for safety, but for containment. The best pattern here is the airlock. One way in, one way out, designed to be locked shut and incinerated in a second.
On to the next planet.
Top comments (0)