Page 15 - Cyber Defense eMagazine - June 2018
P. 15

ON THE CLOCK


               WHY TIME IS CRUCIAL IN SECURITY EXECUTION


               by Brad O’Hearne


               DISCLAIMER: As with all security operations, always act in accordance with the highest
               standard of legality and ethics, making sure you have the proper authorization for any
               security exercises in which you engage.

               Suppose  for  a  moment  that  the  relevance  of  time  was  removed  from  all  human
               endeavour.  How  would  that  change  the  nature  of  athletic  races?  What  if  it  no  longer
               mattered how long it took an Olympic bobsled team to reach the bottom of the track, just
               that they reached it? Consider the field of medicine: what if the time required to discover
               a  treatment  for a fatal disease held no detrimental impact to those desperately needing
               a cure? What if military operations resulted in equal casualties and outcomes regardless
               of the timing?

               Grasping  these  scenarios  is  difficult  to  fathom,  because  in  our  world, their significance
               derives  from  the  speed  of  execution  accompanying  the  effort.  Without  the  defining
               aspect of time, efficiency and speed would cease to be relevant as well. Only the ability
               to  complete  a  challenge  would  be  important.  So,  if  a  few  beer-swilling  gents  plucked
               from a Saturday barbecue were able to make It across the pool without drowning, they’d
               be  equally  deserving  as  Michael  Phelps  for  an  Olympic  gold  medal  in  the  100  m
               freestyle.  Everyone  suffering  from  a  terminal  disease  would  live  indefinitely  until  a  cure
               was  available.  Or  each side in a military conflict would wait for all troops and weaponry
               to arrive and position in the battlefield before the first shot was fired.
               These  imaginations  are  clearly  ridiculous,  because  in  the  real world, mere ability is not
               enough:  time  matters.  The  fastest wins the race. The cure discovered quickly saves the
               most  lives.  Militarily,  perhaps  General  George  S.  Patton  said  it  best:  “A  good  plan
               violently  executed  now is better than  a perfect plan executed next  week.”

               Yet when it comes to security implementation, the sole presence of capability commonly
               remains  the  focus,  as  opposed  to  speed  of  execution.  Particularly  amongst
               management,  security  programs are evaluated through  inquiries such  as:


                   •  Is a vulnerability  management  program in place?
                   •  Is there an intrusion  detection system  in place?
                   •  Is there an incident response policy?

               Questions  of  this  nature  typically  feed  checkbox-type  evaluation,  absent  of  a qualitative
               analysis  based  on  merit.  Thus,  both  solid  and  awful  security  programs  simultaneously
               have  the  possibility  of  resulting  in  the  same  answers  to  these  questions.  Viewing  a
               security  program  through  these  have-it-or-don’t  lenses  can  encourage  a  mindset  that
               improving  security is the byproduct of increasing capabilities, i.e. defining more policies
               and  adding  more  security  tools  to  the  mix.  This  is a sibling of the false perception that


                   15    Cyber Defense  eMagazine – June 2018 Edition
                         Copyright © 2018, Cyber Defense Magazine,  All rights reserved worldwide.
   10   11   12   13   14   15   16   17   18   19   20