Photo Credit: Bill Maksim Photography via Compfight ccYes, really!
I was recently looking for a change of direction in my information security career and was invited to an interview at a local company. I was instructed to prepare a 10 minute presentation on information security to be aimed at new starters during the induction process. They provided an overview of the types of roles my hypothetical audience would be filling and I was specifically asked to keep it light-hearted and snappy. Hmm, as we all know, information security principles and practices are generally perceived to be quite dull, but I liked this request because I don’t believe they have to be, so I kept in mind that all I needed was a little inspiration…
Unsuspectingly, a few days before my interview I was at home doing the general cleaning/tidying/pottering that we all do at weekends. The TV was on in the background but I wasn’t really paying attention, until a bolt of lightning hit me and I was drawn into the story of Jurassic Park. I found myself perched on the edge of the sofa frowning at the screen with my head to one side like an inquisitive puppy. Could it work?
It was at that moment that I realised the whole storyline to Jurassic Park is based on a true story. Now, I don’t mean that there really is an island somewhere in the Pacific Ocean where dinosaurs are being cloned and roam freely, well, not one that we know about anyway, so let’s focus on the characters instead. Firstly, we have Sir Richard Attenborough, the perfect Grandfather-figure who occupies the role of eccentric billionaire entrepreneur and Project Manager. By the time we enter the story, not only has the project been initiated and plans formed, but action has been taken and dinosaurs exist. The storyline takes twists and turns with Sam Neill and Jeff Goldblum asking sensible (and frankly necessary!) questions about whether the project is a good idea at all; just because you can, doesn’t necessarily mean that you should. Although by this point in the story it’s obvious that they’re suggesting closing the stable door long after the proverbial horse has bolted.
It’s all okay though, security is key and was a top priority during the design phase for the park. Depending on the ferociousness (and appetite!) of each species, steps have been taken to contain them. We see 40 foot high electrified security fences, armoured cars with bullet-proof glass for the visitors’ tour, reinforced steel doors throughout the visitors centre, and top of the range technical security controls around the IT system that controls everything. All of which has no expense spared, is shiny and new and well-considered.
BUT, we also meet Dennis, the Computer Programmer who, by strange coincidence and due to unpredictable weather, finds himself in sole charge of the IT and security systems. He has unrestricted access to everything and sufficient motivation to exploit the process having been paid handsomely by a corporate rival to steal sensitive data (in this case, dinosaur embryos). He therefore takes the opportunity to bypass security protocols to gain access to the embryo store and sets off a chain of events which releases the T-Rex and Velociraptors into the park to do their worst.
So, that’s where my presentation went. After I’d set the scene with a few security basics, I moved on to Jurassic Park, boldly stating how its underpinning plot is based on a true story, and ending with the outcome; a picture of Jeff Goldblum running away from a T-Rex with a flare in his hand and the security fence fallen on one side. Now, ordinarily I wouldn’t use the induction process to give new staff any bright ideas by pointing out what commercial secrets they may be given access to, or hinting at what those secrets might be worth to the company’s competitors, but this was a fake scenario and it therefore felt safe to push limits a little to get my point across. I might however touch on the truth behind Jurassic Park when talking to a management team; the importance of good information security practices and procedures, the reasons behind ensuring separation of duties, and generally to encourage a risk management approach to security that avoids placing the entire store of dinosaur eggs into one expensive, but highly-flawed, basket.