Photo Credit: François Quéru Flickr via Compfight cc
On a recent holiday, (being the total geek I am), I found myself musing on information security as I both welcomed and respected the fierce Caribbean sun….
Sun protection – we know too much sun can cause skin damage and at worst, skin cancer. Several decades back, we didn’t know this and so sunbathers slathered themselves with cooking oil rather than Factor 30, in the hope of getting brown as fast as possible. Sadly, this did many of them no good at all.
Clearly, if you don’t know there is a risk and what the impact could be; you aren’t equipped to take appropriate precautions. Similarly in infosec, project and programme managers need to be aware of the need to bring in infosec experts from the very start, otherwise risks may go unnoticed and unmanaged until they become issues.
There’s also a lesson about the value of gathering, analysing and sharing threat intelligence – it was research and epidemiological studies that linked skin cancer to sun exposure and helped us develop better understanding of how this happens. Just like swapping info on malware and phishing signatures, vulnerabilities and patterns of suspicious activity allows us to recognise and react faster to attacks
Hats are more than adornment in strong sun, they are a necessity for preventing heatstroke. In this way, hats are a bit like channel or tech-specific controls (such as limiting USB devices or requiring a challenge-response process for user password resets). A hat will protect your head and maybe some of your neck and may help you avoid heatstroke (provided you’re drinking plenty of water and not running marathons!) but won’t stop your legs from getting red and sore if you fall asleep on the sunbed. Similarly, preventing data leakage or locking down remote access will not protect against fake IT support scammers and denial of service attacks. One single protection won’t ever be able to do the whole job; only a layered and multi-factor set of defences will protect you adequately.
Sun lotion is a must, of course. Whether you’re a pale burn-prone type or endowed with plenty of melatonin, if you’re going swimming or content with simply baking yourself; this will determine the kind of sun cream (or spray, etc) you will need. Choosing the appropriate protection for your assets and activities is every bit as important in infosec. Perhaps you could also think of sun cream as equivalent to training – one application won’t be enough to protect you for the whole holiday (and one training session a year will not achieve the risk-aware culture your organisation needs), and if the content is not tailored to the activities and risks specific to your organisation, the training will not be effective.
Staying under cover will definitely prevent exposure to damaging rays but who wants to spend all of their holiday indoors? Complete avoidance of risk will stop you enjoying yourself and getting things done, just like over-zealous security controls can hamper your business’s ability to operate.
From my musings, I concluded that protecting oneself from sun damage requires an all-over, holistic and context-specific approach, just like protecting your information assets against loss, damage or misuse does. I headed home after a splendid holiday without having become burned or sick (not to mention with my purse, travel documents and ID still safe!). Result.
