Security Experts:

What Does Summer Vacation Have to do With Information Security?

There is something magical about children and summer vacation.  As adults, we sometimes get so caught up in day-to-day life that we forget about this magic that we once experienced.  That is, until we let ourselves experience it together with children. Only then can we view the magic of summer through adult eyes and learn the important lessons this experience teaches us.

What does summer vacation have to do with information security? More than you might initially realize. In this piece, I will discuss some of the connections between our profession and those magical childhood days.

● Fun, but not at the expense of safety: Children on summer break want to have fun all day, every day.  As adults, we understand something that we may not have understood as children: safety comes first.  In security, a similar rule holds. The business needs to operate efficiently and effectively, but not at the expense of the sensitive, confidential, and proprietary data of customers, employees, and other stakeholders. The success of the business is paramount, but it needs to happen in a safe and secure manner.  As security professionals, we can learn and appreciate the goals and priorities of the business.  From there, we can ensure we work collaboratively with the business to help it operate securely and keep unnecessary risk to a minimum. That makes security a partner to the business, rather than an adversary.

● Insurance is important:  As children, we may not have understood that the facilities we frequented and enjoyed were insured.  As adults it seems obvious that this was the case - in the event that something harmful occurred to someone, both business and customer needed to ensure that they were protected.  Along these lines, cyber insurance has become ever more commonplace, whether we believe in it or not.  In recent years, businesses have understood the need to protect themselves against losses and damages resulting from attacks against their information systems. They see cyber attacks and the damage that results from them similarly to the way they see damages resulting from other types of challenges and issues that the business encounters regularly.

● Cheaper isn’t always cheaper: Can you really afford a bargain basement price?  At first, this question seems preposterous - wouldn’t we want the lowest price always? Think about it in terms of, say, and amusement park for children. Do we really want children riding on rides that may not be designed, maintained, or operated safely just because it is a cheaper overall experience?  In security, we sometimes have to pay more for the right talent, the right process, and/or the right solution.  If we do our research properly and optimize the resources we invest, what appears to cost more may actually save us time, money, and a whole lot of aggravation in the long run.  Not to mention the fact that it will likely make it easier for us to achieve our goals, rather than harder.

● Everyone wants more time at the pool or beach: We all remember reluctantly getting out of the pool or the sea when we were asked to as children.  On the other hand, I’m sure that most of us never asked for more opportunities to take out the garbage or wash the dishes.  In security, there have always been and will always be more and less interesting activities and experiences.  As professionals, we have to make sure to give proper attention to all of them, and not just the ones we like.  Otherwise, we put our organizations at risk by ignoring or underinvesting in elements and functions that are critical to maintaining and improving our overall security posture.

● A little boredom is a good thing:  As children, we likely all pronounced that we were bored from time to time. What we realize now as adults is that a little boredom is healthy.  Being occupied constantly and running from item to item in a continual state of overdrive isn’t healthy for anyone, child or adult.  In security, the routine of day-to-day security operations can seem tedious and/or monotonous at times.  But what we may not appreciate when things are running smoothly is that it can all go awry at any moment.  All it takes is one audit finding, one regulatory finding, one executive inquiry, or one high profile incident to turn our world upside down and take us away from our important day-to-day work.  We need to ensure that we do everything in our power to stay on top of risk and keep security boring.

● You don’t know what you’ve got till it’s gone: Joni Mitchell wrote these words in her 1970 song “Big Yellow Taxi.”  How many times do children pay too little attention to something or other, only to want it back the moment it’s gone.  The same holds true for adults, even though we might be slightly less good at admitting it to ourselves.  Security is no different in this regard.  We may dislike a certain task, fail to understand a particular activity, or balk at a specific assignment.  But if we allow ourselves to appreciate it for what it is in the moment, we can approach it with gratitude and accomplish it properly.

● Plans can change: We might have planned the greatest summer ever, only to have something come up and change the plans all around at the last minute.  Change is a part of life.  What sets some people apart from others is not that their plans change, but rather, how they handle that change.  The same is true in security.  We may have an amazing security strategy that we’ve set out to implement.  Along the way, we will encounter obstacles, roadblocks, and even landmines.  What sets a great security program apart from a good one is not whether or not the program encounters these stumbling blocks, but how it responds to them.

Is there something magical about children and summer vacation? Indeed. Are there important lessons from the summer vacations of our childhood that we can apply to information security? Absolutely.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.