Finding The Hidden InfoSec Story

The Boy Who Cried Wolf

Photo Credit: Tambako the Jaguar via Compfight cc

We all know the tale of the boy who cried wolf. According to the Aesop, the Greek story-teller, the boy played tricks on people in his local village, repeatedly pretending that a wolf was trying to attack his flock. The locals soon tired of the game and chose to ignore him. Then one day, when a real wolf came along and he raised the alarm, nobody responded. The locals just thought it was another trick.

The moral of the tale is that if you tell lies, then no-one will believe you even when you tell the truth.

But here’s a thought. What if Aesop got it wrong? What if the boy actually did see a wolf, but by the time he fetched the locals, the creature had crept off into the woods? Maybe the real story was that the wolf was a clever fellow who realised that by biding his time, he could convince the locals that no threat existed, and by so doing, persuade them to be less vigilant.

So what could the poor shepherd boy have done to strengthen his case? Well, these days, he’s whip out his smartphone and take a picture. Back then, in 500BC, he might have looked for pawprints in the mud, or some other sign that a wolf was nearby, such as droppings on the ground.

Or maybe – as a last unwelcome resort – he would have had to wait for one of his lambs to be attacked and show the mangled carcase to the locals.

People working in information security may see a parallel here with their own world, especially if they are very good at keeping the wolves away from their digital assets. In times of tight budgets, it can be very tempting for company boards to ask the question: “When did we last have a security breach?”

When the head of information security proudly announces “Never”, then someone is bound to ask if it’s worth pouring yet more money into security when no real danger appears to exist.

And when that same head of security insists that the hackers are out there waiting to pounce, then someone will say: “Prove it”.

This is where the information security chief has to be well prepared, He or she should be able to produce solid proof of how many attacks have been repelled and how many intruders kept out. The security devices that protect the organisation can be configured to produce invaluable statistics to demonstrate their value, but managing that mountain of data can sometimes be overlooked.

Indeed, it has been known for some organisations to switch off their intruder detection systems because they were generating too much data. Which is a bit like ignoring the annoying car alarm or house alarm that keeps going off. Just like the locals in the fable, we all tire of false alarms, and that can reduce our ability to spot a real problem.

So, if you want to prove there is a wolf on the prowl, prepare to prove it by using the tools at your disposal carefully. Gather the statistics and make the case to prove that previous investment money has been well spent.

Also, gather evidence of other companies that have had security breaches and explain the impact those breaches have had on their reputation and share price. Look to the US, where data breaches have to be declared, and where there are tons of good examples.

If you can do that successfully, then you will not have your budgets cut. And more importantly, you won’t end up with a breach, and a mangled carcase (or stolen customer file) to show to the board.


Author: Ron Condon

Share This Post On