Dr Who and the fable of the exploding door

What the timelord can teach us about IT security

After 15 years of information security breaches surveys and recent events demonstrating that the loss of one laptop can lead to a fine of almost £1m, we can safely say that security is on most people's agenda.

So why are we still worried about security? It is like the old adage that we would chant about quality: security is a journey, not a destination.

There are two truths about security. One is that you cannot manage security, you can only manage risk. The other truth is that as one security measure wanes, you need another to take its place. Single solutions to security problems are rarely effective.

Cyberman in the doorway

I think of this as the case of the cyberman in the doorway. Now that Dr Who is back and it is no longer embarrassing to quote it, the time has come to let the analogy out of the closet.

Picture the scenario. The cybermen are melting the door of the spaceship's bridge. The doctor wires up the door and "stabilises" the melting metal just as a cyberman attempts to step through. Just as Dr Who and company are patting each other on the back, the other cybermen use explosives to blow a hole in the door and through they go. Melting the door was just one way in.

And this single-minded approach to security is exacerbated by our being too readily taken in by the glamour of features. A firewall with all those exciting facilities is still just a firewall. When you allow a legitimate program through the firewall, that legitimate program can carry other malicious content inside it. It is only one solution to one part of the problem.

We need a culture of "defence in depth". Where there is a vulnerability, it will be exploited. Where there is a chance for accidental damage, it will happen.

Dual threat: dual defence

We are frequently reminded that technology is not the whole solution and that our biggest threat comes from the human vulnerabilities in the network. However, we must not be sidetracked onto another focus that is just as single-minded as our affair with technology.

We must remember that the vectors for realised risk are legion and we must be prepared to duck and dive to defend against them. Our attitude needs to swing from immediate satisfaction of a job well done to the continuous warmth of doing a job well.

So when we spot the human vulnerabilities and treat that risk with screening and training, we need to be tweaking the rules at the firewall at the same time. This is too much for any one person, so if the surveys tell us that human vulnerabilities are the greatest threat, with the right attitude, many of these same people can be our greatest defence.

The effectiveness of security relies on a continuous wave of effort. It is not just a snapshot. Let's not swing to focus on human vulnerabilities and forget technology - it is part of the same picture and that picture is of a landscape that we need continuous sorties across. That brings us full circle. Now pass the sonic screwdriver.

Read more on IT risk management