Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security is a Marathon

“Somewhere in the world someone is training when you are not. When you race him, he will win.” – Tom Fleming

“Somewhere in the world someone is training when you are not. When you race him, he will win.” – Tom Fleming

As I’m writing this, runners from all around the world are gearing up to run what is sure to be a very special Boston marathon this year. There is a type of dedication and preparation that is needed to endure such a grueling trek, and as this region hosts these thousands of athletes, it got me to thinking about analogies in the business world. As I looked at the dedication and forethought that these racers put in, I thought that many of the same principles apply in all other facets of life, including preparing an enterprise to thwart constant cyber-attacks.

IT Security is like a MarathonOne of the most basic principles, yet probably most difficult to achieve both physically and mentally, is that there are no days off. Friends of mine who are running enthusiasts tell me time and again that running isn’t a sport; it’s a way of life. Having spent nearly my entire professional career in the security industry, I can also tell you with conviction that security isn’t something that is “nice to have” or a side project IT focuses on when they have the time and budget. Security is a 24 hour a day, 365 day a year proposition and if you fail to keep this standard of vigilance, you will pay the consequences. While runners may not pound the pavement every day, they are always thinking about next steps. How many miles tomorrow? What should I be eating today in order to be ready? In security, if you aren’t planning ahead you are falling behind. That is where the mental preparation becomes so important.

On the surface it probably seems as though running is pretty basic. Simply put on your sneakers and go. Serious runners will tell that in order to be successful when running any type of race, especially a marathon, you need a plan. You need to approach the race in different parts, plan for contingencies and be prepared to adjust your strategy based on the elements and your surroundings. How fast do I want to run the opening few miles? I have to be sure not to burn out too early. When do I eat, drink, and how much of each? What is the weather forecast? What should I wear so I am warm enough but don’t overheat. When you break it all down, it becomes far more complex than it first appeared. It’s the same with your approach to security. When do I install patches? When do I need to schedule a restart for an upgrade? Where do I position the majority of my resources? What areas of the business are most at risk? Again, it goes much deeper than it may appear from the outside.

In security we talk a lot about how the adversary is always a step or two ahead. They have the benefit of planning a very specific attack on one area of the network whereas the security team needs to take a holistic view of the organization and be prepared to fend off an attack at any point. This is a zero-fail operation for the security teams, and a situation where the hacker only needs to be successful once. In running a marathon it’s one day, one chance to achieve your personal best and make all of the training worthwhile. The last thing you want to do on the course is doubt yourself. Did I train hard enough? Am I prepared? Did I eat the right things leading up to the race? In security, the last thing you want to be thinking about when the next big vulnerability hits is whether or not you are prepared. When data is at risk and the company’s brand reputation is on the line is not the time to be wondering if the latest patches and security upgrades have been made. At this point you need to be focused on ensuring that your organization’s most critical data is locked down and have the team focused on spotting anomalies that could be linked to a threat.

I am not a marathon runner personally, but I greatly admire the dedication of those who are. The early mornings, long runs, and attention to diet are just a few of the sacrifices they endure to achieve their goals. Working in security I also greatly admire the dedication of the teams who go through the mental grind on a daily basis to ensure that the organization they work for is protected from outside threats. Security really is a marathon and there are no days off. Sacrifices are needed and tough decisions are required. The motto of our country’s most elite fighting force, the US Navy SEALs, is The Only Easy Day Was Yesterday. I think most marathoners and security people would agree with this. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...