Bad Analogies in InfoSec: How not to explain Security

Security is not healthcare

“Security patching is like diet and exercise — if you don’t watch your diet (know your vulnerabilities) and exercise (patch) you will die”.

Does this look like patching to you?

Breaking into a network is not like breaking into a house

The physical realm is not the virtual realm. Let’s stop using one to try to explain the other.

Who does this stuff any more?

Security is Not Food

This is my favorite bad analogy — the suggestion of the hard, crunchy outside (networks) and the soft, mushy middle (the notoriously unsecured and over trusted internal environments).

Security as a Race

You know, “Security is a marathon, not a sprint”.

No typical human ever looks this good finishing a marathon

So what are the alternatives?

Let’s face it, there are some in your organization for whom a deep, well crafted explanation of what you’re doing is unnecessary and a waste of time. For them, saying “because I said so” is enough.

  • Security is about protecting systems, and more importantly data, which are where ever they allow the data to be used for the organizational mission — so we need multiple types of security strategies to protect the data (industry benchmarks about how many types of security functions and tools are used can be very helpful in this discussion), just as they have different lines of business to deliver their goals.
  • Security is a conscious effort for every employee, not just IT, and not just the Security team. Executives need to hold everyone on their team accountable for Security, just as they hold everyone accountable for the bottom line, customer service, and other mission-impacting activities.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Helen Patton

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen