I talk to a lot of people both inside and outside the company about “security”, but I think the term is too broad to describe what it really means. People believe that it is a *WHAT* (I’ve got this really nice shiny piece of hardware like a network firewall or intrusion detection system), rather than a *HOW*. I’ve found the best way to describe security is by using the analogy of a “security blanket” that some young children have and carry with them everywhere. It’s not specifically the blanket, but it’s the feeling that everything will be okay when they have it. That’s *really* what “security” is – the warm, fuzzy feeling that everything is the way it should be. Now, this is an extremely utopian idea, but there are some very good examples in today’s world.
Take the idea of a sporting event at a large metropolitan stadium. There are plenty of people working the day of the event with shirts that say “SECURITY”, but they’re only the visible parts of what security really contains. You have to look deeper at the construction of the stadium and how it is engineered to withstand 80,000 screaming fans or withstand a possible earthquake. Security compromises everything about the experience, from design and construction through the game-day experience (and the people!) and even after the game.
So, that’s what security is really all about – it’s the way that you think about a certain problem or idea. The designers of the stadium thought about every possible problem that could occur and envisioned a design that would be state-of-the-art at the time that it was built to provide the best and safest experience for the players and fans. But they’re not satisfied with that – the owners of the stadium keep up with the latest attacks and problems that affect other stadiums so that nothing affects their stadium and the people who use it for events.
That’s another important piece of the security “mindset” – keeping up with the latest problems and solutions. It’s all about “due diligence” – making sure that you’re always up-to-date and that every person is doing what they’re supposed to do. Imagine if there were a bad shipment of hot dogs to your favorite stadium (who doesn’t like a hot dog at a sporting event?). You would want that the stadium to be checking their hot dogs. You would also want the hot dog vendor to have notified the stadium when they knew that the shipment was bad. That way, no one would get sick by eating a fuzzy frankfurter.
Those ideas are also part of the thinking of security. Design in the best security, but always keep up-to-date and keep looking for better. Sometimes it’s a constant “what if” game – keeping up with attacks, both physical and logical. Do I need to worry about elephants stampeding into my football stadium? Probably not, but some do. Do I need to worry about something that happened in another football stadium? Maybe. It’s a never-ending process with determining how secure I am now and secure that I want to be or need to be.
That’s what I think security really comprises – it’s a thought process which starts at the beginning and never ends.
This blog will have other entries about security and how to *THINK* security. But it’s really the way that you already think – so, how do you *THINK* security?