The Zero Defects Problem in CyberSecurity
|Author: By John Gilbert, AKA CyberSecurity Consultant|
Date: Friday, June 29th, 2018
I walked into the small manufacturer’s server room (more of a server ‘closet’) and had a look around. I was there to determine the best place to install a small network sensor – a piece of hardware that allows my expert analysts to remotely watch for cyber threats. Typically for a business with precious little budget for top-end equipment, the server rack had some problems. However, by being such a small, uncomplicated network, it was a simple matter to determine where and how to place our equipment. Making a dusting-off-of-hands gesture and a shrug, I turned back to my contracted network expert (who could not fit in the tiny server room with me) and said, “Well, it looks pretty straight forward.” He nudged his way past me as I slid sideways out of the way, eagerly moving cables and wires, ducking behind the server rack to inspect it from seemingly every angle. “We can’t even begin to put a sensor in here,” he said, “I mean, look, they don’t even have up-to-date servers, and look how old their firewall is!” He held up a tangle of wires. “These aren’t even labeled, and they have to all be disconnected, sorted, and bundled neatly! This server room is going to take A LOT of work before we can do anything!” I immediately recognized that my network guru fell into the ‘Zero Defects’ camp of cyber defense.
Zero Defects, as you Quality Managers out there might remember, was a pretty popular management and quality system that, among other things, held that the performance standard for any process, system, or product is Zero Defects – ABSOLUTELY NO problems. Those same Quality Managers might also notice I spoke about Zero Defects in the past tense. That’s because it was generally a bad idea. The reason it was a bad idea is that it defined ‘quality’ as “the conformance to requirements”. To a network architect, this means that a server rack MUST meet all of the latest and greatest standards or it is ‘junk’ – kind of an all or nothing view. This translates into an enormously expensive repair being proposed to the small business owner who likely just called the IT guys to fix a single problem or install a single security device like a sensor. Confronted with the possibility of tens-of-thousands of dollars in network rebuild and updates that there is simply no budget for, the business owner might decide to not even move ahead with the simple sensor installation that had originally been requested – a typical ‘perfect is the enemy of good’ scenario.
Luckily, industry tended to drift away from defining quality as a simple conformance to rules and towards saying “quality is an event where the product meets the customer’s expectations”. Hand-in-hand with this is the new NIST 800-171 standard for information security. Rather than saying to small businesses “you MUST” do such and such, is asks them to first determine what they NEED. The standards are flexible, intended to be customized and applied only as necessary to protect the data that must be guarded. The steps to the NIST 800-171 compliance process are simple, and user-friendly:
Step 1) Assessment – determine what the company has already and what it still needs in order to be secure
Step 2) Plan of Action with Milestones – figure out a reasonable plan to budget for and achieve the necessary level of security over time (In our offering, this is combined with Step 1.)
Step 3) System Security Plan – document exactly what the company needs to protect and how it will be protected
Step 4) Incident Response Plan – document the company’s particular plan to respond to security incidents
Imagine how absurd it would be to call the IT folks to install antivirus on your old laptop and when they arrive they say ‘Sorry, but we can’t put antivirus on this until you buy a new computer.’ NIST 800-171 cuts through this by saying ‘If this is what you can afford now, let’s put antivirus on it, but then let’s come up with a plan to update the operating system or get you a new laptop.’ Flexible, customizable, budget-minded, and above all ‘wise investment’, are all apt descriptions of the NIST 800-171 compliance process. As for my friend, the network guru, he ended up realizing that installing the sensor was the best, most cost-effective, way to meet the customer’s expectations of security.
Advantage Kentucky Alliance has been working with our network of affiliates to put together some critical CyberSecurity services. To inquire about these services, or any of our broad array of services, contact Kurt Felten, our marketing specialist, and have him set up a time for you to meet with one of our experts. Kurt can be reached at (606) 620-0076 or via email at firstname.lastname@example.org. You can also see our AKA website for more information. Just go to www.AdvantageKY.org.
Click here to see descriptions of all of our current CyberSecurity Services.
No Headlines for this category
No Featured Articles for this category
Note: documents in Portable Document Format (PDF) require Adobe Acrobat Reader 5.0 or higher to view,
download Adobe Acrobat Reader.
Note: documents in Excel format (XLS) require Microsoft Viewer,
Note: documents in Word format (DOC) require Microsoft Viewer,
Note: documents in Powerpoint format (PPT) require Microsoft Viewer,
Note: documents in Quicktime Movie format [MOV] require Apple Quicktime,