A.J. Materi once said, “So many people spend their health gaining wealth, and then have to spend their wealth to regain their health.” When it comes to a person’s wellbeing, the profound reality is that too many of us spend our lives reaching for the ‘wants’ that seem important to us, only to realize that the core, root items we ‘need’ have been available, all along. Yet we’ve squandered and sacrificed our very life-sources, to pursue the wrong goals.
Likening this to IT Security, there’s a very distinct parallel. Looking at the companies we work for, the companies we deal with and our customers, very often we’ll find that in pursuit of the perfect IT solutions, tons of money, decisions and effort are spent trying to ensure such things as functionality, profitability, consistency, compatibility, accessibility and end-user satisfaction. At the end of the day, those goals are admirable. They’re desirable. Often times they’re absolute requirements, set in stone, and they must be accomplished. All are completely understandable and are worthy goals, but…
In the effort to provide all of the things we want, too often we sacrifice in other areas to achieve those wants. We sacrifice people (staff get overworked, trying to accomplish the never-ending wish lists from product management or customers). We sacrifice maintainability (code paths get too large, making it hard for current and future developers to support and maintain the code). We sacrifice time (to add increased functionality and features requested by whomever, we dedicate cycles to research and development, training, supporting and documenting). Some of these sacrifices can be bad. Some just come as a part of doing business. However, very often and most importantly, we sacrifice security.
Security and fitness go hand in hand. To live a healthy lifestyle, one must eat right, develop good habits, exercise regularly, get plenty of rest and continue to adapt their bodies as needed in order to ensure their physical condition remains constant (or for many, improves). The same things are true for a good security posture. Knowledge must regularly be fed (security training must always be accounted for and maintained, as IT and technology are always changing), good habits must continue (secure coding habits, incident analysis habits, management habits), exercise is imperative (employees whose skills aren’t tested periodically, in order to find and grow their weak areas, will grow lax and complacent - particularly in security), get plenty of rest (overworked employees tend to make mistakes, fall asleep on the job, miss crucial information, often due to overload) and continue to adapt. Just as in fitness, IT security employees need to hit the Y.M.C.A (“You MUST Continue Adapting”).
Now, that isn’t to say that the most physically ’fit’ people or security teams won’t eventually have issues. An example of this is a buddy of mine - great guy, very physically fit. He’s been running half-marathons (I’m envious, as I used to be a marathon runner, myself, before I let my OWN fitness level suffer on account of work, friends and family life - but that’s changing), eating right, and living a very healthy lifestyle. Yet, just a couple of days ago, he suffered a heart attack, and is headed to a likely bypass surgery. He was doing all the right things, but the issues still came. IT security is very much the same. You can have all your i’s dotted, your t’s crossed - ‘all your ducks in a row’. But tomorrow, a new 0-day can pop up in the wild, an end-user can get socially engineered, someone might DDoS your network or ISP... The list goes on.
However, just as in fitness, it helps to have a support team - those people who are there to push, to motivate, to encourage and to instruct your staff, your security teams and your customers. The goal needs to be to continue to push through the rough spots, come back from the problems and continue to work to make things ‘better, stronger, faster’ than they were before (Six Million Dollar Man quote, for my generation). Most importantly, someone needs to maintain the proper focus - just as a powerlifter must focus on his lift, to ensure he doesn’t injure himself by doing things incorrectly, so must IT management and security staff. The focus needs to be kept on security and have buy-in from management, with an understanding that all of the ‘wants’ need to still be balanced out against the ‘needs’.
Closing thoughts -
If proper care is taken to ensure that the needs (security posture) are always met and properly maintained, then the entire system will thrive and focus can be aimed at the wants, allowing them to come to fruition. MAKE the time to educate, to practice and to build the overall security posture of your organization, so that you can TAKE the time to handle your wants. It’s far easier to stay ahead of the needs, rather than to lose sight of them and pay the price, down the road.
Stay Healthy, My Friends
