Monday, April 11, 2011

The Kobayashi Maru

Trek nerds will remember the Kobayashi Maru as a requisite test for command.  It was a simulation of a no win scenario that taught a candidate would deal with utter failure.  As Spock said, "The purpose is to experience fear, fear in the face of certain death, to accept that fear, and maintain control of oneself and one's crew. This is the quality expected in every Starfleet captain."

I'll also say that this is a quality I expect in every security leader.  Except our fear isn't death, but of breach.   Like the title of this blog, I think it's a useful exercise to assume you've been breached and plan accordingly.   For some, this is as radical idea of contemplating one's own mortality.  Specifically, I've encountered more than a few executives and tech leads who are fully willing to go their entire career expecting that they will never experience a data breach.  For me I saw as an educational opportunity to teach.   Teach them that organizations can survive a breach; it's a matter of doing the best job you can and being able to prove it.  It's also a matter of knowing where your weak spots are and what can happen.  And it's a matter of preparing for response.

If you take nothing else out of this post, take this:  perform a Kobayashi Maru test on yourself.  Test your incident response plan.   There are some great guides out there. Write a plan and test it.  Figure out some likely scenarios and run the steps and see how you do.  For scenrios, you could even replay the last few major breaches and think about how you'd do if it happened in your org.  Not how you'd defend against it (cuz I assume y'all thought of that the second you read about it) but imagine it already happened.  Now think about how far it's spread internally, what data would be leaked out, what services would be offline, what forensic data would you have?  This will likely cause you rethink some controls - are you logging enough?  Do you really have defense-in-depth?  Do you have an accurate data inventory?  Do you have all the critical personnel on speed-dial?  Do you have an organized method of contacting customers?  Figure this all out and share the data with your boss.  Tell her it's a good idea to plan for a disaster so it doesn't destroy the company.  How an organization responds to a breach is crucial factor in a security program. 

And when you want to point at other major breaches and chuckle with schadenfreude, you should think one thing - that could have been you.   You think you've got all your bases covered, you're locked down and unbreakable?  Think again.   And you know what, check again on those companies in 12 months and see how they're doing. Some are done and gone.  Others have survived, maybe even stronger.   And to those security folks there, I think they might have done a good job preparing for failure.   And I take that as a challenge. Again, Trek said it better than me.  This time it was Captain Pike, talking about the destruction of the USS Kelvin. "Your father was Captain of a Starship for 12 minutes. He saved 800 lives. Including your mother's and yours. I dare you to do better. "