Cybersecurity is Like Securing Your Car
How many of the things in this illustration do you do to secure your car?
This approach is called “Defense in depth”. It originally comes from military strategy and it is also the foundation of every good cybersecurity strategy.
It takes more than one thing to be secure.
Problems come from more than one angle and most protections have strengths but also limitations. We add up the strengths and protect the blind spots by layering the protections so that, together, the result is a wholistic strategy.
If an organization is brought to its knees by a cyberattack, this principle says more than one protection failed. This principle also says a single action by a single individual will rarely bring an organization to its knees if there is a good security strategy in place.
Why is cybersecurity so complicated?
This picture says there are lots of ways you protect your car too. A big difference is this: today most of the car protections are habits so you don’t think about them as much as you did at first.
You made a deliberate choice at some point that your car is an asset that’s worth protecting. You’re probably aware of how it will affect your life if the car was stolen or inoperable. You’ve made decisions about which protections are worth the time and the effort to protect your access to the car. You’ve may have given more thought to those things about your car than about things affected by a cyberattack.
When it comes to cyber, many organizations are not yet clear which assets are worth protecting or what it would mean to their operation if those assets were unavailable, let alone stolen.
Add to that the idea that most cyber protections are not yet part of the habits of many individuals and not part of business as usual for many organizations.
Can cybersecurity become as easy as protecting your car?
When it comes to protecting your car, you’ve been doing it all a long time.
You’ve had lot of practice at it.
You didn’t do everything at once, heck some of the technology you use now probably wasn’t available on your first car.
You added protections over time as you got better cars that were worth more effort and as new protection features were added.
You don’t complain about it, well, at least not too much.
Yes, cybersecurity can become as easy as protecting your car.
The steps for getting there are very similar:
- Decide what is important to protect
- Decide what you’re willing to do to protect it
- With your car you might have had input from more experienced drivers about what options you’d want to buy and use; that’s just like getting advice from your internal cybersecurity team or consultants.
- Add protections gradually and give yourself time to practice.
- Admit to yourself that it was your decision. You decided you were going to this because the trade-off is worth the effort.
- If your organization is already working to improve cybersecurity, then sharing this picture with stakeholders may help the medicine go down that much easier.
- If you get objections from business decisionmakers on cyber protections, it helps to first get clear about which assets they believe they own. Once asset owners are established, show them this picture as an introduction to the Defense in Depth strategy and to engage them in making the decisions only asset owners are authorized to make.
- If members of your household give you pushback on responsible cybersecurity for your shared assets, use this picture to discuss a clearer strategy that identifies the assets you want to protect and your plans to protect them.
- Sign up to be notified when a new SecuriThink Field Note is posted for more insights on how we make the business case for cybersecurity.
If you have comments, please join the discussion on the relevant LinkedIn post here:
This analogy originated with a LinkedIn post by Mark Kirstein. We got his permission to run with it and we love to give credit where credit is due, both to Mark, and to the all the folks who contributed to the discussion.
- Mark Kirstein https://www.linkedin.com/in/markkirstein/
- Mathew Lang https://www.linkedin.com/in/matthewlangnj/
- Alex Farling https://www.linkedin.com/in/alexjfarling/
- Jason Slagle https://www.linkedin.com/in/jslagle/
- Aaron Birnbaum https://www.linkedin.com/in/aaronsbirnbaum/
- Lee Mash https://www.linkedin.com/in/leemash/
- Frank Dickson https://www.linkedin.com/in/frankdickson/