Tell me that at least one of you out there in cyber land is a classic movie buff? And no, classic doesn’t mean something that was produced by Netflix for Netflix in 2018. Since I can hear the sound of that pin dropping , I’m forced to conclude that, once again…
Lonely is the night
When there’s no one left to call
You feel the time is right
Say the writin’s on the wall.
Of course, Billy Squier came to that conclusion in 1981, but I digress. Anyway, here’s a little secret. I lead a lonely life. I make classic movie references all the time (like, four or five times a day), and nobody gets them. Here’s one for you:
In the last scene of Kelly’s Heroes (1970, Donald Sutherland, Clint Eastwood, Telly Savalas, Don Rickles, Carroll O’Connor, and Gavin McLeod), Private Kelly, played by Clint Eastwood, convinces the commander of a German Tiger tank to open a bank vault containing $16 million in gold…by shooting off the vault door with a round from the Tiger’s 88mm cannon. It’s a classic scene in a classic piece of American cinema.
But let me ask you a question. First, suspend your disbelief for a moment, and assume that the movie’s fictional denouement actually happened, that in the closing days of World War II, an American platoon convinced a German tank commander to assist them in grand larceny by opening a bank vault via the judicious application of a Panzergranate 40 armor piercing, composite, rigid shell. Here’s the question: Do you think that either the Americans or the Germans in that scenario (or, for that matter, the French bank) cared more about the bank vault or the $16 million in gold bullion sitting in the vault?
Spoiler alert: The ONLY thing they cared about in that situation was, pun intended, the crown jewels, the gold bars. But you probably guessed that, so give yourself a good pat on the back from Private Kelly.
Given that, let me ask you another question. Why is it that conventional cybersecurity paradigms continue to focus on the vault instead of the gold? Or, to bring the analogy home, why do we continue to focus on the tools, hardware, and devices (the vault) used to manage information we produce and our ability to generate value through its use (the gold)? After all, isn’t one vault (computer) pretty much the same as the next when it comes to the real value, the information and our continued ability to use it? I can hear the head scratching from here, guys and gals, and I’m right there with you.
This focus on management modalities isn’t a chimera. If you were to draw five columns, representing from left to right the five functions (identify, protect, detect, respond, recover) of the NIST Cybersecurity Framework, and then drop points representing security products currently offered in the relevant columns, you’d notice that a significant majority of those products fall into the identify, protect, and detect columns, with only a very small number of them filling the respond and recover columns.
And that’s great, except that if our shared, bitter experience has taught us anything, it’s that the attackers consistently defeat our ability to identify them, protect against the attack, and detect the ongoing attack. Wouldn’t it make more sense to focus on response and recovery? That is, rendering the attack fruitless for the attackers?
Strikes me that neither Kelly nor the Tiger’s commander would have bothered the bank at all, if they’d felt there was a good likelihood that they’d have lost the gold in the end. But, while that might make for more effective cybersecurity, it makes for lousy classic cinema. Not to mention burning bridges. (That’s another Kelly’s Heroes reference for the classic cinema buffs out there. Both of you!)
Build it right!