As a cybersecurity consultant, I’m often asked by customers how they compare with their peers in the industry. This can vary from requests for simply anecdotal comparisons of products used to a full-fledged benchmarking of their entire cybersecurity program. Either way, it’s clear that aligning practices and spending with peers is important to many, particularly among critical infrastructure operators. To be fair, it’s not easy to figure out how much to spend and where to spend it. And of course, government regulations, standards, and industry frameworks offer little assistance as they tend to bend over backwards in their efforts to not recommend specific security solutions lest they be accused of bias. But for many, that is what these folks want. They want to justify the $2 million dollars they’re spending on new application-layer firewalls or the newest malware sandboxing tool.
Despite suggestions from the U.S. Department of Homeland Security and the White House that the government will be offering useful guidance on how to secure key networks, we’re frequently left wanting as even the voluntary guidance tends to resemble more of a high-level statement of the obvious rather than a robust and detailed implementation plan. Writers of control frameworks seem desperately afraid that anything too prescriptive would get adopted without further thought, and so detailed examples for particular technology platforms tend to be excluded. The U.S. Defense Department’s Security Technical Implementation Guides are notable exceptions to this trend, but they suffer not for lack of detail, but rather from lack of context. The implication is that the operating system should be just as secure regardless of whether this is for a Top Secret weapons program or for publishing the menu for the local mess hall. In both the public and private sector, context is everything. Defining how a system should be secured needs to be done based on the industry and business processes involved. That is why most standards and control frameworks fail and why organizations instead look to their neighbors for how to keep their businesses secure.
While perfectly understandable and frequently useful, benchmarking and anecdotal sharing of security practices needs to be done with a grain of salt. For many organizations, their technology infrastructures are an important differentiator. For many more, these architectures are an amalgam of hardware, software, processes, and people slapped together over a long period of time. The chances of finding exact replicas, even among similar businesses, are about as likely as finding a nude beach in North Dakota in the middle of January. Moreover, even the belief that regulators will give a company a positive review if everyone else is following the same practice is a bit misguided. And in court it can be downright wrong. A famous court case called The T.J. Hooper (In re Eastern Transportation Co., 60 F2d 737 (2d Cir. 1932)), which many first-year law students study, is particularly instructive. In the case, two tugboats were caught in bad weather while towing barges. As a result of the storm, the barges sank and the cargo on the barges was lost. The cargo owners sued the tugboat owners claiming that the tugboat owners were negligent for failing to install radios on their tugboats that would warn the operators of bad weather. A law was recently passed requiring radios on passenger vessels, but it didn’t apply to tugboats. The tugboat owners also maintained that the use of radios was not common practice for tugboats, and therefore, it was not unreasonable for them to not have the radios. The trial and appellate court both sided with the plaintiff, finding the tugboat owners liable for the lost cargo. The famous Judge Learned Hand wrote:
“Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. . . . Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.”
Cybersecurity practitioners can probably come up with a long list of practices that are “universally disregard[ed]” but are nonetheless essential. Every time a company defends its practices as being completely in line with a particular standard or regulation, Judge Hand’s prophetic words should resonate with us. That doesn’t mean that we don’t have anything to learn from our peers. We certainly do. But we must always appreciate the context and be ready to respond to management’s suggestion that a new expenditure, process change, or personnel hire is not needed because no one else is doing it. We all remember what our mother said when we told her all the other kids are doing it. If we don’t listen to Learned Hand, let’s at least take Mom’s advice.