Industry legend Bruce Schneier famously said that “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.” I can’t help but wonder if the comparison holds true in relation to some organisations’ approach to IT/Information security and the associated risks. After all, invariably many of us are so busy fending off the known knowns and the known unknowns that it’s far too easy to forget about the unknown unknowns.
Confused? Let’s look at this another way. Most organisations possess proven technologies that defend against the known threats (known knowns). In fact, many of the solutions within the infrastructure will also afford a level of protection against the zero-day threats (known unknowns).
However, how can we truly protect against what we don’t know (unknown unknowns)? The issue is that just because we don’t know about something or we can’t see it, it doesn’t mean it isn’t there and there lies the dilemma.
One approach is to consider not only the logical threats, but also the physical. In fact, stepping outside of the realm of the traditional IT environment will afford you a birds eye view of risk. Remember, what you see as an IT risk may not actually be a business risk and vice versa.
When considering potential attack vectors, you should include your trusted resources in any review and carefully assess what the implications of a breach via that route may be. Remember, not all breaches happen electronically although almost all have a root in poor password management or protection.
So, a weak password may lead to a compromise taking place electronically. Conversely, it could be used by a disgruntled employee. However, once a system is compromised, it really shouldn’t be the end of the world. In fact, with a layered approach, appropriate logging, encryption, endpoint controls, document classification etc., at worst, a breach should be a minor inconvenience.
The reality though is often sadly different. In a hyper connected world where more focus is given to access and speed than security, there will of course, always be gaps.
Where organisations have a CISO or someone who actively owns the risk, for them there is a glint of hope.
For organisations without, remember the team at the sharp end are firefighting and doing the best they can with limited resources.
They are so busy fending off the sharks, they pay no attention to the pigs…
Beware of the pigs, you have been warned…