Photo Credit: Liberty Mountain Resort via Compfight cc
Holidays always give us time to reflect and recharge our batteries, and can often be inspirational experiences. For me, learning to ski has brought its own insights, in some unexpected places.
As I went through the week – from the first clumsy exit off the chair lift, through the challenge of skiing down sheet ice, to a day when I realised I needed a different pair of goggles due to the grey, flat light – I began to see parallels with the experience of a new business implementing information security for the first time.
For me, the equipment and accoutrements of a given activity are one of the most exciting parts of a new hobby. For my first skiing trip I wanted to be prepared so I bought a helmet, goggles, ski jacket and pants, and thermal leggings, even big cosy down-filled mittens. I felt I was fairly well prepared, without going overboard – no point in buying the really expensive equipment like boots and skis if I didn’t take to the sport.
A new business might take a similar approach to its own security – I spent on simple physical protection, without overspending on technology before I had a definite business case to support that spending. As it turned out, I encountered a vulnerability during my trip which the implementation of protective technology –light-enhancing lenses for my goggles to cope with the poor light.. Going back to our business analogy, this could easily have been, say, a malware exposure prompting the purchase of some decent AV software.
One of my friends on the trip didn’t buy a helmet. She didn’t think she needed one, reasoning that she wouldn’t fall on her head. But what about the impact others have – on a busy mountain in poor conditions, it only takes one careless friend falling and taking everyone else out to put her head in danger. Some protection we employ not just against malicious actors, but accidentally clumsy allies. In business it’s often employees or third parties who unintentionally cause data breaches.
One girl was knocked off the chair lift on her first day, breaking her wrist. We might be able to minimise the likelihood of this kind of unexpected event with education and awareness training, another useful tool in the Security Officer’s toolbox.
As it turned out, the weather was fairly mild and none of the thermals were needed. If I were a CISO in a new business, could I justify that spend on apparently redundant technology to my finance director? Of course I might get some use out of them next time I go, and sure the weather has changed this week so I could well have needed them if I’d stayed longer. But these are often difficult arguments to make – the ROI on security technology is that “nothing happens” – the business continues to function without incident. Can we encourage our business leaders to see this as analogous with investment in the health and longevity of its people, enabling them to “ski” another day?
And what of that “other day”? The more I ski, the more proficient I will become, but at the same time my equipment will age and wear out. I might find myself drawn to other disciplines on the snow; boarding perhaps, or cross-country skiing; which would require additional training and perhaps more tailored equipment. As businesses mature and develop, they too should examine the relevance and suitability of their security technology and intelligence. Do they need to upgrade that firewall, enhance their network security, or improve their user awareness training to incorporate new concepts and threats?
For me, the key theme running through both skiing and business security is risk. How much are we prepared to accept to enable us to operate in a hostile environment, whether it be a snowy, icy mountain or a business world where we are a new fish in a very big pond full of piranhas?
If we are too risk averse, we won’t succeed in business – you have to open at least some ports on your firewall to enable you to communicate and transact with the outside world. In the same way, you have to actually go up the mountain to throw yourself back down it again.
I’d even go so far as to say, you have to have some accidents to really progress and learn – my helmet-less friend might change her mind about that particular investment after she’s had her first knock from a careless snowboarder.
By taking sensible precautions, appropriate to the size, age and requirements of our business, we can launch ourselves off a mountain fairly safe in the knowledge that we’ll get to the bottom without too much incident and with a smile on our faces. And taking the right precautions in business will also reduce the risk of becoming another cyber-attack victim.