On Being Proactive

As early man went through his hunter-gatherer phase, security was always up-close and personal. Security was all about survival. Small, nomadic groups of people had to protect themselves primarily from exposure and starvation. Even predators such as large cats were a security concern. I find it hard to believe, however, that other humans even registered on the list of concerns for people with a hand-to-mouth existence. If your tired, soaked, bedraggled clan came upon another, what value would you achieve by attacking them? Everyone was on a subsistence level, so one group or individual would not have much to gain by risking a violent assault on another.

Once an agrarian and farming society began to flourish, humans could take the time to establish first villages, then towns, and ultimately great cities. As fewer people were required to provide food for the clan, group members could specialize in skills and knowledge beyond simply staggering around looking for something to eat. They could create works of stone, bronze and wood while engaging in commerce with others to obtain other items they wanted. Humankind began to understand the concepts of natural resources and generated wealth.

These dramatic changes (taking place over centuries) called for a new perception of security. Small bands of unaffiliated raiders to entire national armies were soon mobilized to purloin the resources and produce of others. From Helen of Troy to Hitler’s Lebensraum, there were now outsiders who looked hungrily on what your group possessed.

Security had to evolve to keep up. It must have been prohibitively expensive to keep groups of armed men (and more than a few women, I suspect), up all night watching over flocks, fields and the occasional object of prurient lust. This type of proactive security is difficult and costly to maintain. They needed something that was literally less taxing.

The answer for many communities became a static defensive perimeter. Sure, it would cost quite a few shekels to build and maintain, but it would be cheaper in the long run when compared against potential losses and maintaining an active force of counter-attackers. You could also amortize the cost of these defensive measures across larger and larger groups of beneficiaries. Hence, a large stone wall with battlements around a rich city could be justified vs. wooden pickets to protect a small garrison. This logic introduced some of the earliest examples of empirical cost-benefit analysis for the security experts of their day.

You would still require proactive security to patrol the fortifications and manage entrances, but a mix of static and proactive security measures was the most cost-effective for its day. Enterprising, big-picture leaders such as China’s first Emperor Qin Shi Huang and the Roman Emperor Hadrian heroically made the case for building these static defenses for entire countries. In addition to deterring attempted attacks, their job was to prevent loss of resources, including human lives.

We are all aware that these defensive systems were never perfect, nor did they prevent attacks, assaults or even wars. We can never calculate what may have happened had they not been built. Doors were breached, walls were scaled, and the spread of gunpowder from the Far East to feudal Europe spelled the eventual end of walled fortifications for strategic defense. Tactically, walls are still quite effective, but cities and nation-states no longer see the value in their widespread adoption. Aircraft and missiles simply fly over them, bombs and rockets can knock them down, and ground forces can be landed behind them. Many significant threats are now known as “insiders” — a term that evolved out of boundary-style security programs.

There are plenty of interesting parallels here for today’s information security practitioners. The initial era of cyber security was ushered in by attention seeking “hackers,” denial of service attacks and large-scale viruses. In response, security vendors developed products such as firewalls, intrusion detection/prevention systems and signature-based anti-virus. These have now become the static and reactive boundary-style measures of IT security. And they are no longer adequate.

There are two key trends driving the need for us to reevaluate our cyber security stance. The first is the growing sophistication of attacks that simply end-run these passive controls. The second is the cost-saving demands of moving sensitive information out from behind static digital walls, and into shared services such as cloud computing. The key to your future as an effective IT security practitioner will be your ability to identify and implement the appropriate mix of static and new, proactive tools to effectively deal with the changes in threat and vulnerability landscape.

If that’s too difficult, you could always try building a taller fence or a thicker wall.


John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@cygnusb2b.com.