A friend once asked me what made IT security difficult enough to warrant people dedicating entire careers to practicing it. He was under the impression that one could simply acquire the appropriate software to totally secure anything that needed to be secured. At the time I was so overwhelmed by the array of possible explanations that all I could muster was a generic explanation of “It’s much more complicated than that.”
If I’d had the presence of mind to give him a relatable metaphor, I would’ve told him to imagine he was king of a far off land living in a castle. Your foremost duty as king is to protect the castle and all the people living within. Protect them from what? Everything. There are countless dangers outside of your castle that would harm you, and your people, if given the chance.
There are two types of threats to your castle, known and unknown. Familiar threats are significantly less dangerous because you already know how to prepare for them. For example, you know your neighboring kingdom has a newly crowned ruler who came to power with something to prove, and his ambition could lead him to your front gates. A competitor or neighbor coveting something you have isn’t as uncommon as you might believe, in both our metaphorical kingdom and the modern internet. The easiest way to protect yourself from invaders storming the front gate and taking what belongs to you is to close the gate and station a squad of knights there. Given that you own the castle you should be familiar with all of the ways in and out so you review each one and ensure that access is granted only to those you want inside. You establish protocols for determining when to open the gate and when it should be closed, how closely to scrutinize different types of visitors depending on where they come from, and what to do with unwanted visitors.
Unknown threats are a different kind of problem altogether. You know there is a darkness out there beyond your borders, always waiting for an opportunity to deprive you and your people of your collective livelihood. The only way to combat this unknown but inevitable threat is to always be prepared for it. How do you prepare for something you’ve not experienced? You limit the scope of damage that can possibly be inflicted by a single incident or compromise through compartmentalization. You segment access to sections of your keep. You make sure that even if an ill-doer were to make it through your gate he surely won’t get past the second checkpoint. He most definitely will not have access to the throne room. You consult adventurers for advice, the breadth of whose experience beyond your realm can add an invaluable layer of protection to that which you hold most dear. You employ scouts whose job it is to patrol the kingdom and the areas beyond it searching for new threats and reporting back to you when they find something so that you can prepare your defenses. You enlist trustworthy men to police your kingdom, quarantining troublemakers when they show their faces and segregating them from the public to await judgment.
The thing about this metaphor is that it applies to almost any system. From something as small as your personal laptop all the way up to a corporate network. You have two primary threats to deal with. Preventing unwarranted access and dealing with any problems that arise internally, whether that be unruly software or someone who managed to get inside without permission. We can install antivirus and firewalls to address the issues that we know about, and even subscribe to automatic updates so that we’re prepared for new threats as they are unveiled. This is generally standard practice for, once again, all systems large and small.
The problem is that when the sensitivity of your data reaches a certain threshold you cannot rely on these methods alone. You cannot operate on the chance that no one will ever discover an unprotected port on your network. You cannot operate on the assumption that none of your software is subject to a zero-day exploit. This is why IT security is a complex topic. The landscape is constantly evolving, even more so than you might imagine because we’re in the relative infancy of computing technology. We have to be conscious of shifting security concerns and be able to react to them. Sometimes this requires the reconfiguration of complex systems, and it always requires the ability to interpret and understand the implications of new technology.