...hikers walking in the back country of British Columbia round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”
The point of the article is to get you thinking about security and why you should avoid being the low-hanging fruit for attackers.
It reinforced something I've been thinking about, which is base lining of security activity for companies. It would be cool to understand how your company matches up against others. I wonder if that could be useful input to compliance audits?
3 comments:
I'm currently nose-deep in Bruce Schneier's book Beyond Fear (a long overdue read, I know) and he mentions this story. He also says it only works on attackers who prey on targets of opportunity. I can't recall how Bruce puts it, exactly, but imagine how the story changes if you are the one covered in tasty honey with a fresh, yummy salmon in hand?
BS: (from newsweek interview SEPTEMBER 2, 2003 )
"I wrote this book to try to inject some sense into the security debate. So much of the dialog of security centers around fear and uncertainty. I wanted both to explain how security really works and to show how we all can make ourselves safer by thinking of security not in absolutes but in terms of tradeoffs.
There's so much stupid security out there -- in airports, in office buildings, in the government. I wanted to give people the ability to see why some things are stupid and -- to the extent possible -- how to fix them. There are many dangers in the world, both real and perceived, and it's my hope that the book gives people a realistic sense of how to deal with risks and threats."
Bruce makes a lot of sense. There are definitely some targets that are more attractive than others. And some fears are probably unwarranted.
I think the problem companies have is that the decision makers are human and therefore prone to fear and lack of knowledge. They don't understand which risks are real and which are merely perceived.
And that goes back to my original point about baselining. It seems that one way people want to resolve the issue is to figure out what their peers are doing.
Financial companies always ask software vendors and IT integrators about what other finanical companies of similar size are doing to address the same challenges. Humans feel safety in numbers. They think "as long as I'm not the only one doing this, I'll probably be OK." Which is pretty weird.
Post a Comment