|C-Level Security: When your team uses military analogies, are they using the wrong narrative?

For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the network security business. Bastions, firewalls, moats, drawbridges, countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.

Well no, it's not really a wall holding back network fire. It's more like a, uh…uha filter?

Could we not have started with a more accurate explanation in the first place? How did we get here?

While working in a lab outside of Boston in the late 1980s, I happened to overhear a conversation our administrator was having with someone on the phone. The person calling was interested in finding an engineer that knew about the ARPANet. Being the only one there at the time, our admin looked at me and asked if I would like to talk to a "Colonel Campbell" about the ARPANet. Would I? Yes, I would!! As Woody Allen said; '80% of success is showing up'. What he failed to mention was where you need to show up. On that day, it was the administration office.

I took the call and had a great chat, he was a former Colonel (Army Intel retired), and ran a small consulting office in DC. He provided security assessments for government contractors doing business with government agencies and had a certain level of compartmentalized access. Think top secret. He explained he needed a 'contractor' from the lab where I was working to assist him. However, he could not tell me what it was about until after I was 'under contract'. We proceeded to get the paperwork on both sides complete and I was briefed into the program.

Turns out this small consulting company had a very lucrative business in verifying that companies engaging with government entities were actually complying with the security agreements that were executed. This consulting company needed to verify the security of a UUCP** connection to the ARPANet for a large New York City bank.

In meetings prior to the engagement, we discussed what they normally delivered as a result of their work product, the construct of the engagement, the activities, the presentation, etc. The conversation veered towards the gatekeeping activity of electronic networks. Though the packet concept on which the internet is based was innovative at the time, electronic networks were not new. Every computer manufacturer had a networking product that allowed machines to communicate though most in a rudimentary manner. So my new military trained friends were aware of networks, and were interested in learning more about the UUCP connection to the ARPANet.

The discussion then drifted to characterizing network security. Being military guys, they started to frame the discussion in terms that they were comfortable with, descriptions that describe the tactics and strategies used in the military. Though there were some parallels, I found the discussion then and now to be a bit hollow. At the core of this thought is the packets we battle with having, unlike traditional warfare. No mass, no inertia. They are the definition of ethereal. Is there a better narrative?

Today, just today, there is a new cybersecurity startup that is completely formed in the military mold. Perhaps this is the correct and surviving model? Too early to tell, however, I believe that there can be a more accurate narrative when engineers are engaged with the C-level. In this posting, I would like to explore with you the development of a more accurate narrative, one that might better describe and hence communicate the world we live in when trying to manage and mitigate cyber engagements.

To start this discussion, is 'firewall' still the best term for our security devices installed at your private networks edge? Is a bigger, more expensive firewall a better door analogous to a vaults door being more secure than a screen door? IDS/IPS systems, are they not low performing discriminators? Perhaps the lexicon might be more accurate if signaling terminology was used? Perhaps describing these events in a semaphore paradigm would be more accurate?

Please post your thoughts as replies, and thank you very much for all of the terrific responses to my last C-Level posting.

**For those that are not familiar with the migration of services that eventually formed the Internet, the Unix-to-Unix-Copy-Protocol (UUCP) was used to transfer email and news services in the early days of what emerged to be the Internet.

Comments

To add a comment, please login or register.

Related
What to Say to the C-Level, get your security project funded today!
In near every business adding costs to Information Systems will be seen, by the people running the business, as a cost first, benefit second. Remarkably this still holds true despite a constant pulse of security events hitting the C-Level desks. So let's, as security professionals, develop an understanding of the C-Suite and the C-Levels as to their priorities.
Jun 11, 2018  •  5 min read
C-Level Security: Bank security and the egg timer (how good management trumps technology)
The development of technology for securing information has been advancing at a pace that is truly astounding. In 20 years the security industry has evolved from Sun Micro Systems' Sunscreen and the Cisco PIX (yes I know there were a few others) to over a thousand security products of which nearly 700 are currently VC funded. All are trying to generate business from within this ever advancing market currently called Cyber Security. There are few tech markets growing at the rate of Cyber Security and as a result we are seeing investors, in a near desperate attempt to gather slivers of this market, throwing money at companies with Rube-Goldberg-inspired technology. We now have a flood of technology solutions that no one person can understand and the customers that consume this technology struggle daily with supporting and operating these systems. Many of the C-Level executives reading this may want to consider a management solution for the next expensive problem your engineering team presents to you.
Nov 13, 2018  •  4 min read
C-Level: Is your business secure enough to survive open firewalls?
The most expensive firewall is pretty dumb. It can keep external probes from seeing what your Security Team wants to hide. In some cases, they are also configured to protect people within your company from wasting time or violating your network policies. There are no guarantees that these devices will protect your network, quite the opposite, near every network hack of note, was conducted through a firewall. The information assets that Firewalls protect are also secured in a variety of dissimilar ways so in a perfect world the Firewall is your front line of defense, information access policies are a secondary line of defense. In a very simple sense, firewalls are about noise reduction, blocking out a nearly infinite number of probes from an ever increasing number of probers. So, ponder for a minute, if you opened this electronic front door to the world what would happen? Would the damage be limited to only an increase in network noise?
Nov 13, 2018  •  4 min read
C-Level: Fan Boy, XEB
In 1999 I was extremely busy. I had just started a company, my second, in the Network Security field which was new and unknown. Sales were slow, hacking was deep, deep inside campuses like Stanford and MIT and was considered sport. I was getting traction with banks and was in SF for a meeting. I remember walking down Mission past a guitar shop and hearing this song, guitar was hitting the tonic breaking into cool background riffs, a little vocal falsetto opening then breaking into verse…..broken and then back…..WTF. Reminiscent of a Cello piece I know……..inspired….. I stopped dead in my tracks - stunned. Who are these guys!?!
Nov 13, 2018  •  3 min read