Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

What My Summer Vacation Reminded Me About Security

Although it’s a little early for the “what did you do on your summer vacation?” essay, I have mine done. I vacationed in Orlando with my family last week. We did the whole Universal Studios/Disney thing, and had a blast. Although my kids called me a geek for doing so, I pondered the meaning of various happenings and observations that week. Here’s my attempt to unpack the significance of these events.

Although it’s a little early for the “what did you do on your summer vacation?” essay, I have mine done. I vacationed in Orlando with my family last week. We did the whole Universal Studios/Disney thing, and had a blast. Although my kids called me a geek for doing so, I pondered the meaning of various happenings and observations that week. Here’s my attempt to unpack the significance of these events.

What My Summer Vacation Reminded Me About Security1. On one of the bus rides I overheard a young lady telling her friends that she “ordered the Polo Picant. That was the spicy chicken. It was soooo good.” Later during the same ride, she announced to her friends that while she also spoke French and Italian, her Spanish was so advanced that she was starting to tutor younger kids. Chances are that if she had actually said “poy-yo” we would not have been so confused, but as it was we were wondering if she had played polo, or eaten pollo. And, by the way, you must pronounce the “e” at the end of “picante.”

“Know-it-alls” like this lady are everywhere. In some ways, they can be more dangerous than “know nothings.” If an IT professional is aware they don’t know something, they can look it up, do some research, ask someone, or even farm out the work. But, if they genuinely don’t know, or they don’t want to admit they don’t know, what kind of quality should we expect as a result?

There is absolutely nothing wrong with saying, “I don’t know” then going and finding the right answer. IT professionals, security geeks specifically, should be okay with admitting this. When egos and personalities are involved it becomes harder, but pretending to know everything only complicates things. “Security” as a concept, is not so complicated, but the specific technology being used to help meet security goals can be very complicated– like it or not, absolutely no one knows everything. Organizations should allow for proper investigation and analysis, and IT/IS professionals should insist on it. You are much better off doing some research and presenting a sound answer than you are with winging it.

2. Strollers are everywhere. To the parents, they are invaluable. You absolutely need one to navigate the parks, and tote all of the gear that your young one requires. To those stroller-less individuals: how many times are you going to play chicken with me, trip me, or actually ram me as I stand still in line?

People have their own priorities and their own agendas throughout your IT and security infrastructures. Often, those agendas and priorities are at odds with each other. Is it more important to have that new server or application up and available in 24 hours, or is it more important that the data on the server be properly secured, and that communications between the server and the corporate network are handled in a safe manner? All organizations should constantly fight to eliminate the concept that security is opposed to functionality. There is no natural tradeoff between “security” and “usability.” Security must be built into your organization as an enabling infrastructure – it allows you to do what you need to do, in a safe manner. Security must be thought of as an intrinsic part of operations, not as a bolt on. You don’t build a server, and then add security–you build a secure server. You don’t build an application, and then secure it– you build a secure application. You consider security requirements as peers along with the other functional requirements. If you are handling PCI data, you don’t specify that you need to be able to process the credit card information, you specify that you need to be able to process the credit card information in a secure manner, along with everything that entails. If you consider security as core to your business model, all implementations become easier.

3. Cultures have different rules. Consider entire groups of people who never wash their hands after going to the restroom, or don’t queue for a line, or consider bathing optional, even in hot weather.

This is a very complex topic. People within a single culture are different enough. Add together people from different cultures and you have a myriad of complexities that involve interpersonal relationships, pride, ego, envy, sense of self-worth, and many other components. People learn differently, see problems differently, and work differently.

People are also the biggest single unknown in your environment. There is no “firewall” or other piece of technology that can control every aspect of a person’s behavior. You try to explain your organizational constraints with policy, and then reinforce those constraints with a security training program. You need to understand the nature of people within your company, and make sure you are truly communicating “with” them, not just “to” them, in a substantial and meaningful way.

4. We had a bad water leak in one of our rooms, and because of the swamp, we had to change rooms. My wife found a 2 ½ inch cockroach in our hotel bathroom. While we were no strangers to cockroaches in Washington D.C., here in Minnesota you never see them unless you are watching the Discovery channel. We were stuck on probably six or seven rides (thankfully, not on “It’s a Small World,” or I would be writing this in crayon) It was bloody hot. We were at about 96 degrees every day, with heat indexes often in the 105-110 range. But that did not stop us, along with 35,000 other people, from going to the parks. It did, however, make us appreciate the ice cold Pina Coladas even more.

Sometimes, stuff just happens, from hurricanes or earthquakes to a broken pin on a power adaptor. I have seen an entire data center taken out when a pallet mover hit a wall just hard enough to crush the power line running through the wall. The resulting short fried the main power control panel to the room, completely killing power to about 2000 square feet of data center. I have seen a system crash because it was sitting underneath an air conditioning unit when the evaporator tray filled up and started dripping into the rack underneath. I have seen an engineer drill into a wall in the wrong place, and hit the building’s sewage line, which promptly drained into the data center. I have no doubt that many people have even better stories.

But part of how good our security program is will be defined by how we manage ourselves when something happens– whether that “something” is environmental, self-inflicted, or the result of a cyber attack. Organizations need incident response and disaster recovery planning. It cannot just be something written down on paper that you expect will never happen. You need a realistic plan that you can implement, while also meeting business requirements. You need to test the plan and be able to recover operations, restoring required services and data. And, you need to be able to migrate back to standard operational systems, including back from any alternate site operations (in a reasonably graceful manner).

5. Cell phones are everywhere. I can understand cell phones. I can see using a cell phone to coordinate parks, rides, lines, and food. But if, while sitting on a rollercoaster, you are texting your BFF from the ride, I do not understand you.

Some of this is just embracing new technology, and some of this is excess use. This can be a fine line. When you start trying to apply security principles to the mobile world, and include social media, some of the classical security paradigms break down. In old-world security, the idea that someone would have access to their Gmail account while at work would have been ridiculous. Simply put, it is absolutely a security risk. It allows a means to pass information into and out of your corporate network via a channel over which you typically have no practical control. This is exacerbated by mobile devices and social media.

The biggest part of this is managing the influence of mobile devices and social media on the workplace. Organizations cannot just “let it happen.” We need a thoughtful strategy of what the company will support vs. what the company will allow. By not directly addressing social media and mobile devices in a company, we enable their use with an implied endorsement. Include social media and mobile devices in your organizational environment in a thoughtful, strategic, deliberate manner.

I could ramble on about other things like throwing the security latches on doors and locking valuables in your safe while you are out of the room, but I consider those “normal” things. My kids stopped me when I told them I was going to wedge a chair under the doorknob.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.