Firefighters are heroes. They rush into burning buildings to save our families and heirlooms from disaster. They are there in the middle of the storm to help.
Building Inspectors are bureaucrats. They tell us how to safely build and remodel while mitigating unforeseen threats that may never come.
But who has saved more lives and property?
It’s difficult to determine how many disasters have been averted by building codes or by the recommendations and requirements from building inspectors, but I suspect a lot more disasters are averted through their careful building plans, processes, and procedures than by firefighters responding to a fire.
Home fires are primarily caused by human error and building issues. Human error includes things like cooking and careless actions like leaving candles burning unattended. Building issues include things like electrical and HVAC complications. Human error is addressed through education and building issues are address through better building policy and guidelines.
In the modern enterprise we are obsessed with putting out the most recent fire: the latest data breach, the malware attack, the phishing attack. The products and services we buy and use align with that thinking. So many of those products and services are focused on stopping what we think is inevitable. We assume there is no world in which a data breach is not commonplace. That means we spend money on data loss prevention, penetration testing, and cyber security insurance.
What if that isn’t the case? What if we could build a system that anticipated attacks and beaches before the happened? We have enough data that shows defensive spending isn’t working, that keeps us on our heels. We need to apply the thinking of building inspectors and building planners to building software.
When we apply this thinking, we have to start at the beginning. That’s a question I get frequently. It might be where to do I start for a cyber security career, where to start to find vulnerabilities in software or networks, where to start in defending the enterprise.
There are two parts to the answer to these questions, the first part is to start thinking about the bad things that can happen. Ask yourself, what does this feature look like from the attacker’s point of view? What is the worst-case scenario? What would an attacker most like to get their hands on, and what currently stands on their way? In our house fire scenarios, this is the equivalent of developing building codes, which help to ensure that our electrical systems and HVAC don’t spontaneously start fires and that our building materials are more resistant to fire.
The second part is to help users make better decisions through education. This can be done with a risk-based approach. You can decide where to start by the employee’s current education level; perhaps you want to start with the least knowledgeable employees first, or by their impact to the organization; maybe it’s better to start with employees who have access to the most critical systems. In either case you can make an active decision to start improving the decisions your employees make.
Threat modeling is one of the most impactful things that you can do to help understand and reduce your application and organization risk. Starting to understand the assets, entry points, users, roles, components, and threats to the system you want to protect is a huge step forward in knowing where to apply resources. You can use threat modeling as a lens through which to view any threat. Once you are aware of the threats you face you can decide on the risk level and risk treatment for each.
When thinking about building a strategic security initiative, ask yourself: Do you want to be a firefighter chasing after the latest fire or a leader anticipating and mitigating threats before they happen?