There are only two types of motorcyclists – those that have been down, and those that are going to go down.
This insight was shared with me by a plastic surgeon summoned to sew my right thumb back together one gorgeous Saturday evening back in the mid-90s. This occurred after I impacted a car that inexplicably turned into traffic directly ahead of me – while I was riding in city traffic without wearing any gloves.
Riding motorcycles is an art of calculated risks. To many outsiders, it appears reckless, certain to end in disaster. Personally, since the time of said accident early on in my riding career, it has become something I enjoy almost as much as anything in life but try to approach as carefully as possible.
On a typical ride, I set out at dawn and head out of the city, covered from head to toe in armored leathers and a full faced helmet, along with gloves and boots laced with carbon fiber protection. Whether it is attempting to avoid heavy traffic or wearing all of my gear, these are attempted forms of practical motorcycle risk mitigation.
So, what’s the cyber security relevance to all this?
Forrester Principal Analyst and Zero Trust advocate Chase Cunningham apparently also likes to ride motorbikes. He mentioned as much in his keynote on Zero Trust this week at the research firm’s annual Security & Risk Conference.
The context in which he mentioned riding relates directly to the manner of precautions I’ve laid out, as he likened the efforts of IT security practitioners to maintain effective defenses to that of the prudent, or not so careful, motorcyclist.
His point? Everyone is likely going to get hacked sooner or later – how well you fare typically comes down to how well you have prepared for, and respond to, the inevitable. Chase specifically cited the difference between merely attempting to achieve compliance [riding with nothing but a helmet, as dictated by law] versus putting on all the equipment needed to give yourself a better chance of survival [Zero Trust/defense in depth].
So, this is clearly common sense. Yet, as the analyst and his esteemed colleagues at Forrester continue to point out, their concept of Zero Trust supports a set of best practices that surprisingly often evade broader adoption across the realm of IT security and risk management.
Namely that: 1. The traditional ITSec perimeter is long dead. 2. “Advanced”, or multi-stage threats are the reality. 3. Security must evolve constantly to support: Changing business models (app economy etc.); Shifting technology models (to the cloud!); All of the above, and other emerging trends, including available security tooling.
Moreover, Zero Trust contends that you better accept the reality that your layered defenses will be circumvented, and as such create more adaptive and effective processes to deal with it.
The common-sense nature of this approach is probably the most obvious takeaway. Yet, the reality is that, despite its straightforwardness, practitioners will point out that adopting such a Zero Trust approach, specifically in a complex enterprise environment, isn’t necessarily that easy.
Conversations with a handful of CISO-types attending the conference evidenced a lack of clarity about just how they will achieve it. The how-to elements are also constantly evolving.
For Bay Dynamics, we see a huge opportunity for our Risk Fabric security analytics platform to fulfill several key technological requirements of Zero Trust – importantly tied to foundational processes and targeted use cases.
As Forrester has noted in its Zero Trust research, analytics that provide visibility across numerous deployed security platforms [such as DLP, endpoint protection, CASBs, etc.], along with inferring the value of underlying business assets, will play a huge role in enabling Zero Trust models.
From informing and prioritizing incident investigation and response, to connecting security and line of business stakeholders, analytics, the experts maintain, will emerge as a central hub of Zero Trust security operations and management.
Of course, this is closely aligned with our vision. In an upcoming webcast hosted by ISMG, Bay Dynamics CTO and co-founder Ryan Stolte will seek to put a finer point on developing Zero Trust kill chains and threat detection and response (TDR) workflows.
Obviously, it’s easy for us to validate what Chase and other Forrester analysts such as Joseph Blankenship are saying about automation, analytics and Zero Trust, we also just think it makes too much sense.
Just like putting on your gear before you head out on the road.
You know, there are only two types of security defenses…
Register here for the webcast "Building Effective Zero Trust Kill Chains Using Data-Centric Analytics".