Page 15 - Cyber Defense eMagazine - June 2018
P. 15
ON THE CLOCK
WHY TIME IS CRUCIAL IN SECURITY EXECUTION
by Brad O’Hearne
DISCLAIMER: As with all security operations, always act in accordance with the highest
standard of legality and ethics, making sure you have the proper authorization for any
security exercises in which you engage.
Suppose for a moment that the relevance of time was removed from all human
endeavour. How would that change the nature of athletic races? What if it no longer
mattered how long it took an Olympic bobsled team to reach the bottom of the track, just
that they reached it? Consider the field of medicine: what if the time required to discover
a treatment for a fatal disease held no detrimental impact to those desperately needing
a cure? What if military operations resulted in equal casualties and outcomes regardless
of the timing?
Grasping these scenarios is difficult to fathom, because in our world, their significance
derives from the speed of execution accompanying the effort. Without the defining
aspect of time, efficiency and speed would cease to be relevant as well. Only the ability
to complete a challenge would be important. So, if a few beer-swilling gents plucked
from a Saturday barbecue were able to make It across the pool without drowning, they’d
be equally deserving as Michael Phelps for an Olympic gold medal in the 100 m
freestyle. Everyone suffering from a terminal disease would live indefinitely until a cure
was available. Or each side in a military conflict would wait for all troops and weaponry
to arrive and position in the battlefield before the first shot was fired.
These imaginations are clearly ridiculous, because in the real world, mere ability is not
enough: time matters. The fastest wins the race. The cure discovered quickly saves the
most lives. Militarily, perhaps General George S. Patton said it best: “A good plan
violently executed now is better than a perfect plan executed next week.”
Yet when it comes to security implementation, the sole presence of capability commonly
remains the focus, as opposed to speed of execution. Particularly amongst
management, security programs are evaluated through inquiries such as:
• Is a vulnerability management program in place?
• Is there an intrusion detection system in place?
• Is there an incident response policy?
Questions of this nature typically feed checkbox-type evaluation, absent of a qualitative
analysis based on merit. Thus, both solid and awful security programs simultaneously
have the possibility of resulting in the same answers to these questions. Viewing a
security program through these have-it-or-don’t lenses can encourage a mindset that
improving security is the byproduct of increasing capabilities, i.e. defining more policies
and adding more security tools to the mix. This is a sibling of the false perception that
15 Cyber Defense eMagazine – June 2018 Edition
Copyright © 2018, Cyber Defense Magazine, All rights reserved worldwide.