Photo Credit: Heaven`s Gate (John) via Compfight cc
It’s a story that is a little over a century old, but one that I am certain you will know. It has been told time and again in numerous books, documentaries, and movies to remind us of a tragedy that took place on one clear, but cold spring night leaving some 1,500 victims to die and impacting the lives of thousands more.
It was in the early part of the 20th century. It was a time only nine years after the invention of the aeroplane in which Atlantic Ocean crossings were still completed over the course of a few days by steamship. World War I was still a few years away and the world was very much divided, not only geographically and culturally, but socioeconomically. For those with wealth crossing the Atlantic was to be done lavishly with fine dining and cigars and brandy and for those who struggled to make ends meet, crossing the Atlantic was to be done as quickly and cheaply as possible, in order to avoid contracting disease.
The world marvelled at a new ship, Titanic, which was built for luxury, though speed was to be one of its assets and perhaps one its greatest liabilities. At the time, Titanic could be considered the newest, largest, and grandest ship in the world. This was, however, not the most prominent news about Titanic. What was newsworthy was that a ship had finally been built that could contend with the dangers at sea and simply could not sink. Of course, those were famous last words and history proved that even with sixteen water tight compartments that were intended to prevent Titanic from sinking, the laws of physics would be upheld. The doors that sealed the compartments only went as high as the third class decks of the ship and Titanic could stay afloat with damage to the first four compartments. As fate would have it, five compartments were breached, allowing water to enter the hull at the stern of the ship and spill from one compartment to the next, sending Titanic and a number of passengers to the watery grave on the floor of the Atlantic Ocean at approximately 2:20am on April 15, 1912 only a few hours after colliding with the iceberg and headlines were rewritten as the unsinkable ship that sank. Some attribute the disaster to an oversight in the design. Others blame the fatality on poor practices exercised by the crew; but what is most striking is that perhaps there were multiple contributing factors which, although are no longer evident in Atlantic crossings, surface in common security practices performed by many organizations across the globe.
Prior studies had not been conducted to determine that the rudder was too small to provide a ship of such sheer size the manoeuvrability it needed in emergency situations. This meant that Titanic’s crew would have needed much more warning in order to steer the ship on a course around the iceberg. The problem is that many threats come with little to no warning. Many organizations have implemented security measures that may have served them well against yesterday’s threat, but today, as technology has changed, this empowers the adversary with new tools and new strategies and people, process and technology must innovate in order to maintain pace with the adversary. The nimble stand the greatest chance of surviving new threats.
Aesthetics and regard for the lives of humanity been placed below compliance with outdated regulations that stated Titanic need not carry lifeboats to accommodate all crew and passengers, leaving capacity, even if launched full, which the rescue operation confirmed not to be the case, for less than half of those on board. Compliance still seems to be a huge driver for security practice around the globe, yet, compliance is a set of minimum recommendations set at a point in time in the past. The rate at which information is created and consumed is moving far too swiftly, for compliance to be the yardstick for measuring security effectiveness. Security, and inherent risks if not implemented effectively are much better drivers for protecting information.
Titanic could have slowed down upon receiving warnings of nearby ice, which was the standard practice at sea in a pre-sonar and pre-radar era. Organizations are often prone to cutting corners and using foolish, miscalculated tactics to gain a competitive edge rather than taking a strategic risk based approach to conducting business; which may take longer but pays dividends over the longer term.
The water tight compartments were supposedly Titanic’s best defence against an iceberg collision, however, the ultimate preventive control to stop Titanic from sinking failed. A better defence strategy would have been to detect the iceberg earlier, which may have been a stronger possibility had the crew, in the lookout, been equipped with binoculars. Similarly, most organizations spend vast amounts of money on preventive information security solutions and very little on detective solutions. Preventive solutions will ultimately fail either during events that were completely unforseen or events that are expected but the manifestation of those events cannot be visualized, in which case detective, responsive and corrective controls must be available as backup measures to reduce the impact of a threat. Organizations need to adopt a good balance of control types spanning deterrent, detective, preventive, responsive and corrective measures.
