Thomas Raschke

Think for a moment about the very simple, used-to-death castle analogy with its walls, gates, guns, guards, etc. and how these parts related to early network security. The analogy certainly had its shortcomings already back then – but it nevertheless got popular because of its inherent simplicity.

In today’s complex data and identity driven world of security and risk management, the old castle simply doesn’t cut it any longer. Just think of examples like the skyrocketing amount of data “crown jewels” all over the place (not just in the tower), the almost constant transport of these assets to places in and mostly outside of the castle, and the fact that insiders/peasants pose a much bigger risk than external attackers. Also, there is not just one king today, everybody has something protect-worthy (data, identities, etc.) and the same person can in fact have multiple identities. Sure, you can add bits and pieces into the old castle metaphor, but it quickly becomes too complex and therefore useless as an analogy.

So, while most members of the security academia have given up on the castle some time ago, the question is: Can we provide a simple, yet somewhat holistic concept of modern security and risk management?

Fact is, that we as security professionals struggle to explain to non-security folks what it is we are doing and why we are doing what we are doing. A bit of insurance talk, a sprinkle of metrics, lots of tech explanations, and certainly a huge portion of scare tactics are still our most often applied tools. But we all know – and experience on a daily basis – that we are not making ourselves clear to LOB managers, executives, and other non-technical people.

So, is there a single, all encompassing metaphor any longer? Or will we inevitably end up comparing the complexity of today’s security and risk landscape to, well the “real” world? But then again, wouldn’t that ‘metaphor’ fall short of the main reason for why we use analogies – namely simplification? Hence, wouldn’t that be utterly useless?

Or, instead of trying to construct a next-gen analogy, do we simply have to become better at articulating ourselves? Are a non-tech language, simple words, and context going to be enough to get our message across? Or should partial analogies be thrown into our new communication mix? Or does everything ultimately boil down to K.I.S.S.?