Generals are often accused of fighting the last war – applying tactics from previous battles regardless of whether or not they truly fit the current situation – especially if those tactics were successful. I suppose it’s human nature to do so.It’s what they know. It’s what their armies are already trained and equipped to do. After all, they’ve already done it. Tactics from a past war may have led to victory – and even promotion – but seldom work a second time.
A vanquished opponent learns from the past. Successful generals realize that a completely new approach will be needed to succeed the next time around. The Maginot Line stands as a monument to those who fail to grasp this concept. Erected by the French after the First World War, it was a static, complex, layered and expensive line of interconnected fortifications aimed at preventing the Germans from invading again. It didn’t work. Instead of following a dated script, Hitler’s army improvised by invading Belgium and simply marching around the Maginot line to occupy France.
Are any bells ringing yet for the infosec crowd?
Today’s information security strategies are stunningly similar to the ill-fated military strategy of the 1930s. Enterprise organizations rely on static, complex, layered and expensive defense strategies. Of course, much like the Maginot Line, these tactics don’t work against a determined attacker either.
It’s nearly impossible to open a newspaper today without reading about the next big breach – from Sony to Epsilon to the U.S. Senate – many have fallen victim to highly publicized attacks in the last 12 months. Why? Because the cyber threats we face today have predictably evolved. The attackers are determined. They are patient. Perhaps most importantly, they are agile. A complex, “set it and forget it” defense strategy designed to minimize personnel requirements is no match for a well-informed, agile opponent.
Imagine what a well informed, agile defender could accomplish against today’s advanced threats.
It’s time to give it a try.