The “Fortress Mentality”
Information security has proven itself immensely valuable in just about every sector—commercial, government, research institutions, and more. At the same time, however, certain barriers stifle progress, resulting in an increase in security-related incidents that might not otherwise have occurred or unnecessary escalation of the cost and impact of these incidents. One of these barriers is something that Tom Longstaff, now of Johns Hopkins University, and I first identified and documented way back in the late 1980’s—the “fortress mentality.” The “fortress mentality” means investing the preponderance of resources and effort on preventative controls to the point that individuals who have done so now view their computer environment as a kind of impenetrable bastion that cannot be breached.
One of the main problems with “fortress mentality” is that it makes information security practitioners blind to the real nature and impact of risk. No single control or group of controls (e.g., in a “defense-in-depth” approach) mitigate all the risk they are deployed to counter. Residual risk invariably remains after controls are deployed. With most resources and effort devoted to preventative controls, the other parts of the security cycle, namely detection and reaction/correction, are overlooked. Among the unfortunate consequences is not being able to quickly and efficiently detect and react to security breaches that occur. Consider what happened recently to TJX. Had technical staff promptly detected the intrusions that led to so many successful identity thefts, TJX’s financial losses resulting from the break-ins would have been considerably less. Instead, the incidents went undetected for approximately one year, something that resulted in skyrocketing losses.
Virtually everyone knows that modern armies do not rely on fortresses. Any army that stayed inside a fortress would be blasted to bits by today’s weaponry—it would be a “sitting duck.” The same applies to information security controls. Although up front (preventative) controls are highly desirable, more dynamic controls that detect and mitigate incidents are just as necessary. Consider, too, the need for reinforcement troops in military engagements in case the front line gets breached.
I worry that auditors also reinforce the fortress mentality in their audit findings and recommendations. I fear that too many auditors do not really understand or appreciate the nature of detective and corrective controls; they instead focus mainly on the quantity and quality of preventative controls when they conduct audits. Perhaps worse yet, if they recognize the value of detective and corrective controls, they might translate these requirements into the need for intrusion prevention tools. Although intrusion prevention is an up-and-coming technology, it is a still much less than perfect technology that is by no means sufficient when it comes to detective and corrective capabilities.
The best solution for combating the problem is security education and awareness, with the target audience being information security professionals, senior management and auditors. Until the “fortress mentality” becomes a thing of the past, something that eventually will happen, it will continue to interfere with information security professionals’ ability to effectively manage security-related risk.