Security Experts:

Security is a Marathon

“Somewhere in the world someone is training when you are not. When you race him, he will win.” – Tom Fleming

As I’m writing this, runners from all around the world are gearing up to run what is sure to be a very special Boston marathon this year. There is a type of dedication and preparation that is needed to endure such a grueling trek, and as this region hosts these thousands of athletes, it got me to thinking about analogies in the business world. As I looked at the dedication and forethought that these racers put in, I thought that many of the same principles apply in all other facets of life, including preparing an enterprise to thwart constant cyber-attacks.

IT Security is like a MarathonOne of the most basic principles, yet probably most difficult to achieve both physically and mentally, is that there are no days off. Friends of mine who are running enthusiasts tell me time and again that running isn’t a sport; it’s a way of life. Having spent nearly my entire professional career in the security industry, I can also tell you with conviction that security isn’t something that is “nice to have” or a side project IT focuses on when they have the time and budget. Security is a 24 hour a day, 365 day a year proposition and if you fail to keep this standard of vigilance, you will pay the consequences. While runners may not pound the pavement every day, they are always thinking about next steps. How many miles tomorrow? What should I be eating today in order to be ready? In security, if you aren’t planning ahead you are falling behind. That is where the mental preparation becomes so important.

On the surface it probably seems as though running is pretty basic. Simply put on your sneakers and go. Serious runners will tell that in order to be successful when running any type of race, especially a marathon, you need a plan. You need to approach the race in different parts, plan for contingencies and be prepared to adjust your strategy based on the elements and your surroundings. How fast do I want to run the opening few miles? I have to be sure not to burn out too early. When do I eat, drink, and how much of each? What is the weather forecast? What should I wear so I am warm enough but don’t overheat. When you break it all down, it becomes far more complex than it first appeared. It’s the same with your approach to security. When do I install patches? When do I need to schedule a restart for an upgrade? Where do I position the majority of my resources? What areas of the business are most at risk? Again, it goes much deeper than it may appear from the outside.

In security we talk a lot about how the adversary is always a step or two ahead. They have the benefit of planning a very specific attack on one area of the network whereas the security team needs to take a holistic view of the organization and be prepared to fend off an attack at any point. This is a zero-fail operation for the security teams, and a situation where the hacker only needs to be successful once. In running a marathon it’s one day, one chance to achieve your personal best and make all of the training worthwhile. The last thing you want to do on the course is doubt yourself. Did I train hard enough? Am I prepared? Did I eat the right things leading up to the race? In security, the last thing you want to be thinking about when the next big vulnerability hits is whether or not you are prepared. When data is at risk and the company’s brand reputation is on the line is not the time to be wondering if the latest patches and security upgrades have been made. At this point you need to be focused on ensuring that your organization’s most critical data is locked down and have the team focused on spotting anomalies that could be linked to a threat.

I am not a marathon runner personally, but I greatly admire the dedication of those who are. The early mornings, long runs, and attention to diet are just a few of the sacrifices they endure to achieve their goals. Working in security I also greatly admire the dedication of the teams who go through the mental grind on a daily basis to ensure that the organization they work for is protected from outside threats. Security really is a marathon and there are no days off. Sacrifices are needed and tough decisions are required. The motto of our country’s most elite fighting force, the US Navy SEALs, is The Only Easy Day Was Yesterday. I think most marathoners and security people would agree with this. 

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.