Connect with us

Hi, what are you looking for?


Network Security

Stay Out of the Tunnel to Minimize Risk

Focusing on Security

Focusing on Security

As part of my efforts to stay educated, I try to allot some time each day to peruse my Twitter feed, blog feed, and other such sources. Some days are more informative than others, but in general, I have noticed something quite concerning of late. We as a security community tend to suffer from tunnel vision. What do I mean by this? Allow me to explain.

Wikipedia defines tunnel vision as “the loss of peripheral vision with retention of central vision, resulting in a constricted circular tunnel-like field of vision.” In other words, we can see that which is in front of us – in the direction we have oriented ourselves, but we cannot see anything on the periphery. This definition is obviously in reference to a serious and unfortunate physical ailment that some people suffer from. Nonetheless, I believe that we can take the physiological concept of tunnel vision and learn an information security lesson from it.

Tunnel vision poses a significant risk to an organization’s security posture, and indeed to the security profession as a whole. The risks of tunnel vision are summed up quite nicely in a Forbes piece entitled “15 Ways to Identify Bad Leaders”:

Leaders without vision will fail. Leaders who lack vision cannot inspire teams, motivate performance, or create sustainable value. Poor vision, tunnel vision, vision that is fickle, or a non-existent vision will cause leaders to fail. A leader’s job is to align the organization around a clear and achievable vision. This cannot occur when the blind lead the blind.

This point is further illustrated in an FT piece entitled “Look out for the tunnel vision trap”, which offers the following point when discussing vision-related risks:

One is the “tunnel-vision trap”, which occurs when managers fixate on a single vision of the long-term future that distracts them from an emerging situation in the present. This risk is particularly acute in rapidly changing environments, including emerging markets (such as China, India and Brazil), technology intensive industries (for example, medical devices or software) and areas where different industries are converging (such as information technology, entertainment, telecommunications and consumer electronics).

Life is full of distractions, and the information security profession is not immune to them. We as security professionals have an obligation to remain focused on building, maturing, and improving our security programs and security postures. This necessitates a holistic vision focused on mitigating the risks and threats to the whole of the organization. This, by definition, is contrary to a vision fixated on a specific issue. That type of vision would be a textbook case of tunnel vision.

There will always be scandals that will surface, fads that will come and go, and buzzwords that will abound. As information security professionals, our professional duty is to stay focused holistically across all of our duties and not to get distracted or spend an inordinate amount of time chasing shiny objects.

Along these lines, I’d like to discuss two specific topics.

Advertisement. Scroll to continue reading.

Over the past two years, I have seen an almost obsessive focus on surveillance and encryption. I’m not saying that privacy isn’t an issue (it is) and that privacy concerns aren’t legitimate (they are). Rather, what I’m saying is that, off the top of my head, I can think of quite a number of other threats to both large organizations and private citizens alike. Unfortunately, I don’t see much discussion on any of them. Rather, it seems that we as a community have succumbed to tunnel vision, to the detriment of all of the other topics for discussion.

Similarly, the Internet of Things (IoT) seems to be quite the buzz in 2015. I hear a lot of hype about the security ramifications that IoT brings with it, but what I don’t hear is a lot of substantive discussion on what we as a community will do about it. How do we intend to embrace network-connected devices of all different types, and how will we adapt our existing security programs to bring those devices into the fold? What specific risks and threats do these devices pose to our organizations? How will we go about mitigating those risks and threats? How will we collect the requisite telemetry data? These are just a few of the many questions that will need to be addressed through a substantive discussion.

I advise organizations to resist the temptation to run with the herd. If we take a step back and look at the big picture, organizations are still being compromised via attack vectors we’ve known for quite some time. For example, the overwhelming majority of breaches and intrusions still occur via social engineering and watering hole attacks — two very common attack vectors that we as a community still struggle with. True, the specific technologies involved evolve and change (e.g., email, SMS, chat applications, etc.), but the overall strategy of the attackers remains much the same. Compromise the weakest link. Exploit the human. I am not convinced that my Internet connected toaster really changes the game all that much.

A deliberate and strategic approach to security is still the reigning king. Managing, mitigating, and minimizing risk is still the best approach for building, maturing, and improving a security program. Granted, certain specifics will evolve and change over time, but the overarching principles and foundational tenets will not.

Education, discourse, and collaboration on a number of different topics simultaneously have always been how we as a community make progress. If we focus entirely on one topic and elevate it to dominate every conversation, we cannot attend to the other, equally deserving topics. It’s easy to follow the herd mentality and jump on the bandwagon, but it comes at a great cost to our communal progress. I am concerned that the issues we have pushed aside in order to follow the herd may remain unsolved.

I’m sure that there are those in the community who will agree with my concern. The question becomes one of whether or not we can gain enough attention for the other topics we are concerned about and interested in discussing. Time will tell. There is certainly no shortage of bright, shiny objects to distract people, unfortunately.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...