What security and your kitchen have in common
Carolina Marino Sargeant
Subject Matter Expert, Security
What does security and your kitchen have in common? You may be struggling to see an immediate connection, but I promise you there is one. Just think for a moment about the way you buy your appliances and gadgets.
You love coffee, so you invest in this amazing gourmet coffee maker. You keep your kettle and your old coffee maker just in case. You eat a lot of bread, so you get a bread maker. A toaster. A sandwich grill. You go on a diet (after all that bread), so you buy a blender for your smoothies. Over the years, you keep buying new equipment according to your immediate needs. Soon enough you realise you ran out of kitchen surface and storage space.
Sure, you could move to a new house with a bigger kitchen, but that may just not be an alternative. Plus, you don’t even use everything you have. You don’t remember the last time you used that ice cream maker. Your toaster is burning your bread slices; you have no idea how to fix the temperature and you are afraid it may set your kitchen on fire. You have a food scale somewhere, but you can’t find it when you need it. Instead of solving all your culinary challenges, having too many appliances is creating new problems.
The same rule applies to security. Many companies still buy security products to solve immediate problems, without advance planning. In fact, according to the 2017 Cisco Midyear Cybersecurity Report, 43% of companies make project-based purchases (best-of-breed) or deploy point products as needed. This unstructured approach to security leads to what we call the “effectiveness gap”.
Just like in your kitchen, having too many security products creates challenges of its own. It is not only an operational nightmare; it is also a potential vulnerability. All those solutions need policies, admin, maintenance, patching, updating. It takes time, skills and resources to do it all. It is also easy to forget one of those rarely used products abandoned in a corner of the network. That is where the real problem starts.
WannaCry is a great example of how hackers can take advantage of unpatched systems. They used a known vulnerability to launch a large-scale attack. They knew that many companies would not have patched their systems in the weeks after Microsoft released the update. They took advantage of it.
The way to fix this effectiveness gap is to stop focusing on the individual threats and rather keep the ultimate objective in mind. Just like your kitchen: it is not there for you to pile on appliances; it is there so you can prepare your food and feed your family, whatever way you choose to do it. A company’s end game for security is to minimise risks. They should not lose sight of it.
Rather than trying to stop individual threats, companies should think about how they can build a more effective security posture that will help them face any challenge that arises.
October is the European Cyber Security Month. Learn more about this campaign at cybersecuritymonth.eu or follow #CyberSecMonth on Twitter.