….two friends are walking through the woods. As they round a corner on the trail, they spot a big, agitated grizzly bear getting ready to charge. One of the friends grabs his running shoes out of his pack and starts to put them on. The other says to him, ‘Are you crazy, what are you doing? You can’t outrun a bear!’ His friend says, ‘I don’t have to outrun the bear… I just have to outrun you!’
When my career in the information security industry started back in the mid-to-late 1990s, I was listening to some of the top security experts in the telecom industry discuss their strategies for protecting their organizations. As the discussion concluded, one of the panelists pointed to the others on stage and said, “Listen. I don’t need to be better than the attackers. I just need to be better than these two guys.”
In the days of opportunistic nuisance attacks, that well-known industry metaphor resonated, and even made for an arguably effective strategy. Like the bear, those attackers charged after the easiest target. In other words, they reached for the lowest-hanging fruit they could find. Unfortunately, strategies that evolved from such simple metaphors have outlived their usefulness for cyber security. Time and again I’ve heard customers tell me their security is “good enough,” and that they are better than most organizations in their industry. The truth is “good enough” is not good at all.
Things have changed. In today’s world of advanced targeted attacks, attackers are motivated by what you have rather than by how accessible what you have might be. They want specific customer lists, product designs and other intellectual property that they can’t get anywhere else. Someone else can worry about attacking your competitors. They want YOU.
In the age of Advanced Persistent Threat (APT) and other targeted attacks, simply being a little better or a little faster than the person next to you no longer works. So, forget about the running shoes; a pair of jet-powered roller skates might be more appropriate. Because as it turns out, in today’s untamed cyber wilderness, you actually DO have to outrun the bear.