Since relocating to rural Somerset a few years back, one my new hobbies is beekeeping. The beekeeping season really begins in the spring as the bees emerge from their winter’s hibernation and this year it was coincident with me getting involved with the Analogies Project which set me thinking.
Bees are fascinating in the way they organise and live their lives and I suspect that many information security analogies between them and me, as their beekeeper, will emerge, but in this first contribution I consider the analogy between the role of a beekeeper and that of a Chief Security Officer (CSO).
Beekeepers don’t keep bees..
That’s right. Think about it. It’s not like you’re a farmer in the traditional sense with livestock fenced in and a padlocked gate their only means of entry and escape. Bees (or at least a large percentage of them) can, and indeed must, leave the hive on a regular basis for the colony to survive. They must leave to gather nectar (and shift some pollen about) before returning to the hive with the fruits of their labour for conversion into honey by other members of the colony.
The bees are free to leave at any time. I can’t stop them. My role as a beekeeper therefore is to provide them with a safe, secure, comfortable and disease free environment to which they will want to return, and within which the business of honey production (and bee reproduction) can efficiently occur.
If the season is good and honey production is going well, I must anticipate their demands for additional space, stacking additional boxes called “supers” onto the main brood chamber, giving them the storage space they then require.
In order to keep the levels of disease to a minimum (the impact of a little guy called the “Varroa” mite mean that it can never be fully eliminated) the I must undertake a regular monitoring regime, examining for tell tale signs of worsening mite infestation and/or different diseases, putting appropriate measures in place as required to controlextent of their impact.
CSO’s don’t “keep” employees..
It would be great for information security if all our employees reported through the CSO, lived in the office 24/7 and ever needed a connection to the outside world in order to manufacture, distribute, develop and ultimately drive revenues. Of course that’s not the case and could never be so.
The role of the CSO therefore, is analogous to the beekeeper.
Their role is to enable rather than control the business operations. Security strategies and controls that inhibit growth will be circumvented (fancy a bee swarm anyone?) by the organisation. Security strategies must assume that employees will leave the perimeters of the business and go out in the “untamed wild”. When they return, you can be sure that some of them will be carrying back into the organisation more than they had intended, and controls and measures must be in place to deal with that.
And risk can’t be eliminated – just like disease or Varroa mites in a colony. Their impact must be assessed and mitigated to a level such as to minimise its impact on the business.
So, Beekeepers and CSO’s – not so different after all. At least one of them has more protection from being stung than the other…
p.s. if now you too are interested in beekeeping as well as information security, I blogged about learning about beekeeping here.