Security is a process, a way of being, not a product.

Max Pritchard

When I bought my house, I invested in high quality locks for the doors and windows. Honestly, unless you go really cheap, all of the locks are reasonable but I am prone to enjoying the tiny technical details that mark developments in technology. I have the same interest in physical locks as I do firewalls.

But when we had a break-in recently – it had nothing to do with the quality of the locks I selected. I had neglected to secure the kitchen window before leaving for work. The security failed due to user error.

It won’t be the first or last time that sentence has been written down.

The problem for a network security professional is this: how do you design a secure system which takes into account human frailties such as complacency, ignorance, misjudgement and malice?

The best answer is to treat security as a process – not something you can buy from a third party. It’s a way of being – a way of working and it introduces feedback and ensures continual improvement. Security is thus visualised most commonly as a wheel – as popularised by Cisco.

corporate security policy diagram

In the diagram here, ‘Secure’ involves implementing technical security controls – buying products and services that allow you to enforce your defined security policy. ‘Monitor’ involves real-time observation of dashboards and alert management, with regular log audits. ‘Test’ involves active simulation of security incidents to validate system performance and improve user preparedness. Finally ‘Improve’ is the critical feedback step where lessons learned from monitoring and testing the system are fed back into the system itself.

I like to think that “security is a process” is such a basic truth that it goes without saying, but then in the aftermath of the Ashley Madison hack in 2015, the company released a press statement that said “We … have had stringent security measures in place including working with leading IT vendors from around the world.” I don’t know for sure, but the wording seems to demonstrate a blind trust in quality locks as opposed to a complete security process.
I can only hope that, if the company survives, it would have learned a lesson about how to go about the business of protecting their customer’s data.