There’s a well-known truism in cybersecurity that uses a physical analogy: there’s no point having a 10-foot fence in one area if there’s only a 1-foot barrier everywhere else. The attacker will just go around to where the barrier is lower.
But like so many truisms, this one is simple, clear – and wrong. In at least two cases you absolutely should have a 10-foot fence in one area even if you only have a 1-foot barrier everywhere else.
Of course, there are some who will argue that in cybersecurity these days we don’t need fences at all. When really pushed on what that actually means though, it’s specifically that we no longer need firewalls and other network perimeter devices. For most people, it’s still desirable to put some sort of preventative measures in place (otherwise we might as well throw away all our investments in identity and access management, and stop bothering to patch). I’m certainly happy calling those measures fences – this is an analogy, after all.
The first of my two cases is if you have an area that is particularly difficult to monitor. In that case, put up a 10-foot fence there and make sure the attacker is incentivised to come in through easier-to-monitor areas.
But there’s a second, more strategic reason. If your ambition is to have 10-foot fences all around in the long term, you have to start somewhere. And that’s particularly true if 10-foot fencing can be difficult and expensive to procure.
Of course, for some niche operations, 10-foot fencing is a must no matter what the cost and difficulty of installing it. For others, it will simply never be sufficiently interesting to bother with. But what if you would ideally like 10-foot fencing but you balk at the current price and difficulty of installing it?
It seems to me that for enterprise cybersecurity, today’s answer is to work furiously hard trying to extend the height of the fence one inch at a time. I don’t have much experience putting up real-world fences, but I do know that in the world of enterprise cybersecurity, fence-building is extremely hard and slow work. Some of that effort might be better expended on an occasional stretch of 10-foot fence as part of an investment in a better future. You’ll get some immediate benefit – attackers have to go to the trouble of going round it and you can reduce your level of monitoring and response in that area – but much more importantly, you’ll signal to the market that you’re interested in 10-foot fencing.
If it turns out you’re alone in your interest then your only option is to keep building one small stretch at a time. But if in fact it turns out that there are various of you sufficiently interested in 10-foot fencing to put it up in at least some areas, suppliers will spring into action spurred by forecasts of a much larger market. Fencing vendors will raise capital and use it develop new fencing technology and manufacture new 10-foot fencing solutions that are more cost-effective and easier to install – and as a result, you’ll end up being able to afford to put it up everywhere.
Even better, if you manage your market relationships appropriately, you’ll probably find that some of those suppliers will be extremely keen to work closely with you and develop the new fencing solutions to your particular requirements – and might even help you install it in order to create a great reference installation for their sales force.
Physical analogies don’t always work for cybersecurity. But in this case, it seems to me that the analogy works pretty well. My guess though is that not only is the level of threat much higher in the cyber rather than physical security world – the speed of market response will be significantly higher there too. So the argument for investing in some 10-foot cyber fencing seems to me even more compelling than with the physical variety.