This article can also be found in the Premium Editorial Download "Information Security magazine: Closing the gap: How to decide when (and if) to patch vulnerabilities."
Download it now to read this article plus other related content.
People! We have to see the forest for the trees! We can't protect the keys to the kingdom when the network is a hard, crunchy shell with a soft, chewy center. It's like we're trying to drive the car by looking in the rearview mirror.
Welcome to analogy hell, a.k.a. the world of information security. Ours is a business of nonstop metaphors, cliches, similes and comparisons to quote/unquote real-world scenarios. Should we all agree to put a moratorium on using IT language and analogies to describe what we do? Or is that throwing the baby out with the bathwater?
Look, I'm as sick and tired of analogies as you are, but face the facts: without them, it'd be a lot harder to do your job. Next time you meet with an IT manager, try to describe defense-in-depth without talking about the layers of an onion. Try to describe a PC firewall to an end user without talking about doors and locks on a house. You'll just get a blank stare.
Fact is, analogies are a good way to educate and motivate both higher-ups and end users. But tread lightly. Metaphors should be used sparingly. Like a comedian, you constantly need to come up with fresh material.
I recently heard a couple of not-so-old security analogies that you may want to try on for size.
1. Treat your organization like an airport. Lots of different people with varying degrees of access and authority come in and out of the airport every day. Some of the travelers make frequent trips to the same destination; most use the facility far less often and with less predictable itineraries. Some arrive through the air; others arrive on the ground.
Use multiple checkpoints to screen the traveler and his belongings. First, confirm his identity and itinerary. Ensure he's headed to a valid destination at an expected time. Then, screen his packages and person for unauthorized content. If he checks his luggage, screen that, too -- but in a way that doesn't delay him longer than those with carry-ons. Make sure to match up the traveler and his luggage when it gets to the plane. He should never be separated from his carry-ons. If he leaves the secured zone, screen him again.
2. Act like a dentist. When cavities appear, fill them as soon as possible. Untreated, they'll only result in a worse toothache. Still, your emphasis should be on preventing cavities, not fixing them.
Brushing isn't enough. For complete dental hygiene, you have to floss, massage your gums and use mouthwash.
Patients shouldn't see a dentist only when they have a toothache. They need routine cleanings, and they get a fluoride treatment if needed. And even dentists need regular checkups from other dentists.
Finally, your password is like a toothbrush. Always take it with you when you travel, never share it with anyone, and change it often.
A good analogy is worth its weight in gold if used in the right context. It helps nonsecurity personnel separate the wheat from the chaff, enabling them to keep their eye on the ball and see light at the end of the tunnel. That gets the monkey off your back and....
OK, I'll stop now. Clearly, I'm kicking a dead horse.
About the author:
Andrew Briney, CISSP, is editorial director of Tech Target's Security Media Group.
This was first published in February 2004