Nearly every child of my generation was raised on a healthy dose of country idioms, commonly accepted maxims, and, of course, Aesop’s Fables. I had my own dog-eared copy of Aesop’s most widely known work even as a youngster. Some I could easily grasp, but as I recall, the tale of the sour grapes was just outside my abilities to fully understand.
One such saying has always been with me: to close the barn door after the horse has bolted. With a career in information security, you can imagine how many times that idiom has gone through this practitioner’s mind. Almost daily.
A colleague recently called me and said our fishing trip he had to sadly decline was now back on the calendar.
“What happened?” I asked. “Last I heard, you were going out of town on a business trip to begin a strategic security assessment at a client site.”
“The client had to roll back the start date a month to deal with an internal issue,” he replied vaguely.
“That may have been bad for your employer, but I am pleased you will be able to join us on the fishing trip. Make sure to bring beer.”
The following week, when we were out on the boat, I asked if he had received any explanation on what had occurred that was serious enough to push off an expensive on-site engagement. He replied they had a ransomware attack and all the people he and his team would need to interview were heads-down trying to get everything back up and running. It would be at least a month.
“Well,” I said, “perhaps you should have pushed to keep to the original schedule. It would be like a real-world table-top exercise that your team could oversee.”
“Hah, we told them the same thing,” he replied. “But they weren’t amused. You see, our assessments and reports are often used to satisfy some auditor or government regulatory agency. The detailed and lengthy report we provide them isn’t really for their edification and implementation. It exists to be relegated to a file drawer while a copy is forwarded to the oversight agency for their file drawer.”
“It seems like such a waste to delay the effort when you could use the recent experience to include an after-action session in order for them to learn from the incident. Without a comprehensive follow-up, it may just happen again.”
He shrugged. “Yeah, I understand your point, but we were told our effort would be completely unrelated to their response to a ransomware attack.”
We continued to float, fish and sip a beer. The scenario of someone closing the barn door after the horse had bolted certainly occurred to us both, but it went unsaid as he snagged a feisty bass. We were there to fish, not to rehash work problems, so the topics changed as the cooler filled with fish for a big cook-out.
I should have been surprised or at least mildly amused by this anecdote. But I had seen and dealt with the same issues many times before. I had one personal experience where a large IT-dependent organization had called in the strategic advisory team after a brutal and humiliating breach that had made the front page of several major papers. Now they wanted that security review they had been putting off.
While we went through the normal interview and inspection phases of the engagement, we noticed the loading dock at the data center was being stacked with boxes emblazoned with well-known cybersecurity product vendors. Several pallets were being pushed into corners and out-of-the-way places around the data center.
“That seems like a lot of new equipment,” I noted. “Is this all part of your actions in light of the breach?”
“Sure is,” said the IT director proudly. “I was able to get an open checkbook from the board for anything and everything I needed to prevent an attack in the future. What you are seeing is the first wave of the new security stack we just ordered. Fifteen million dollars’ worth!”
I made a low whistle.
“But the best news is that I was able to extend your engagement. We now need you to tell us how we can implement all these new products in two years or less.’’