Monday, December 15, 2008
The Answer – One More Than You Have
I attended the West Coast Security Forum (WCSF) during the first week of December and I must share with you a major advancement in my understanding of layered defense strategies. I have attended many conferences and I am always looking for that nugget of truth that I can walk away with and apply to my work. Well, the WCSF did not let me down. From an anonymous voice in the crowd I heard that sage advice that we all seek. I asked the audience when using a layered defense strategy, how many layers of defense are enough? The first response yelled from the crowed was “5”! Of course, everybody knows that was nonsensical. Then I heard “42”! I thought to myself, this guy is on to something. Then, like a blinding flash of insight came the answer that we were all seeking from the wisdom of the crowd…”one more than what you have”. Eureka I exclaimed! It was immediately obvious to me and the audience that this was true and undeniable wisdom. In other words, you’ll never have enough and it’s time to start thinking about cyber risk management in different terms.
It’s time to start thinking about basing your security strategy on hard data instead of vague notions of multiple layers hoping that you have enough. For further discussion on this topic please refer to previous posts on cyber risk management for industrial control systems.
- Perry