Security was simple in the Middle Ages. You found a steep hill and built a castle on it. Add a few walls and ditches, and you felt pretty secure.
There is one problem with this strategy - most castles were starved, not stormed.
Locked inside the castle, the inhabitants had limited access to food. The attackers just sat outside and waited for them to starve. While they waited, they ransacked the surrounding estates. To be truly secure, those inside had to leave the castle and face the assailants.
IT security is like that. We build a 'keep' at the centre of our organisation and surround it with firewalls. We write policies shutting out the outside world. We tell everyone how dangerous that world is.
Then, we sit back and wait to starve.
We starve ourselves of customer contact. Our customers chat about us. They share photos of our products. When we restrict access to social media, we begin to look out of touch.
We starve ourselves of partnerships. We sell through a web of intermediaries. We buy from a complex supply chain. We work with many partners along the way. If we put walls around ourselves, those partners go elsewhere.
Cutting off feedback
We starve ourselves of innovation. Walls cut off feedback. They reinforce innate tendencies toward tribalism and 'groupthink'. Safe within them, we generate safe and stale ideas.
This sort of security is an illusion; perfect barriers don't exist. The more that people rely on technical defences, the more exposed they become to subtle, socially engineered attacks.
Worse, the illusion cuts us off from opportunities. Consider P&G's's open innovation programme: more than half its new products arise from collaboration outside the corporate walls. Tesco and Virgin Atlantic have used similar models.
Of course, the world is dangerous. Bad guys exist. We need technical defences. However, we can't lock ourselves away in castles. Eventually, we need to go out and face our attackers.
Graham Oakes is a technology consultant. He can be contacted via www.grahamoakes.co.uk or email@example.com. His book Project Reviews, Assurance and Governance is published by Gower.
True security depends on human vigilance and action. A secure organisation equips its people to deal with threats.
It educates them about:
Rationale - Why is security important? What might attacks cost? This requires balance: we need to make the threat real without scaring people into inaction. Scare tactics are counterproductive.
Recognition - What does an attack look like? How can we recognise threats?
Response - How should we respond to attacks? How do we take opportunities without exposing ourselves to unnecessary risk? How do we balance risk and reward?
Practise - A sword is useless if you haven't regularly practised with it and don't know how to use it. The same goes for our security tools: people need to know how to use the tools we install on their machines.
This doesn't preclude the need for corporate firewalls and intrusion defence. We need such infrastructure, but as a support for personal defences, not as a replacement.