The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear things like this when I ask how companies are shifting their security programs in order to combat advanced threats:

  • We’re upping our patch schedules from one month to two weeks.
  • We’re deploying anti-virus signatures faster.
  • We’re consolidating all of our user laptop images to a gold master.
  • We’re deploying outbound content filtering.

Hole in the Wall, by Lars Plougmann

Sure, those things help. But individually they are largely ineffective in shifting the balance in your favor. Think about how IT evolves through bolted-on enhancements. What did day one of the business look like from an IT perspective? What does it look like now?

My guess, day one was pretty secure in comparison. Probably a couple of new computers, maybe a hosted web instance or e-commerce site, and a simple firewall policy—something like deny all inbound and allow key services outbound. As the business evolves, so does it’s “interconnectedness” and reliance on the automated electronic exchange of information.

The typical icon that visually depicts a firewall is a brick wall that has been set on fire. The reality is much different as we go along and that wall becomes more porous with each new business initiative. That’s not necessarily a bad thing—it’s a reality for businesses relying on the notion of interoperable information systems. And yet, with every breach I have ever worked the question in the boardroom is always the same:

How did we get here?

We got here because we let a couple of walls create a false sense of security. Not only does this make us complacent in our approach to information security, we start to believe that the only reality that can exist is one in which a breach doesn’t happen to us. Shiny tools don’t fix organizational dysfunction. Organizations must think about the walls they deploy, how they work, and how the enemy will go around, under, and over them.

This post originally appeared on

Possibly Related Posts: