The Perimeter Defense Fallacy

By Rob Austin

Not long ago, I led a discussion about digital security with a group of business owners/CEOs. We were focused on a Harvard Business School case about a company that gets denial of service attacks and has problems with mysterious intruders. Halfway through the session, a participant stood and slid past his colleagues to the aisle, opening his cell phone as he left. Five minutes later he returned. After class, he apologized. "I'm sorry, but I had to call my IT guy. Last week I told him to wait on the firewall upgrade. I just told him to do it today."
 
I was amused and pleased -- pleased that this classroom discussion had impacted practice so directly. But later, I worried that the most important part of my message had not gotten across. Although this cash-constrained CEO had not said so explicitly, I sensed he thought he'd solved the problem we were discussing by upgrading the firewall. Of course, nothing could be farther from the truth.

Most of us know better, but we all succumb, one way or another, to the idea that if we just build high enough walls around company systems, we'll solve the largest problem with digital security. But, rely too heavily on security at the perimeter and we render our corporate networks, as one security expert puts it, "hard on the outside, but soft and mushy on the inside."

We also too often think of the perimeter as existing primarily in digital, rather than physical, space. Another security expert likes to say, "A middle-aged person in a uniform pushing a food service cart can defeat the most sophisticated perimeter security." There is no firewall we can buy, or upgrade, to quick-fix our security issues.

So where does that leave us? There are technical answers to this question: defense in depth, layered security, firewalls between segments of corporate networks. These are fine answers, but they are parts and pieces of a solution, not a comprehensive approach. The problem with parts and pieces -- with treating digital security as a technical problem -- is that you have no way of deciding when you are protected enough. There's always another technology some consultant insists you need.

I advocate an operational approach, focusing on business tradeoffs and procedures. You decide which information assets in your business deserve the most protection, which you can afford to leave, relatively speaking, more exposed (nobody has an infinite amount to spend on security), and set up defenses proportional to the importance of the assets.

Then, put together solid, reliable, and constantly improving operational procedures that minimize your risks should an attack occur. How quickly are the computer accounts of a separated employee disabled? How quickly after vulnerabilities are identified in IT products do you test and install patches?
 
Executives in companies that do this right know the answers to these questions and others like them. This line of defense relies on inspiration from the Total Quality Management movement rather than pinning hopes on the latest technological gizmo. It is an approach non-IT managers can understand and participate in, and it engages everyone in the firm in security efforts. Not security at the perimeter, but security throughout the enterprise: hard on the outside, and procedurally hardened at every vulnerable point on the inside.
 
And that's just got to work better.
 
Rob Austin is a professor at Harvard Business School and chair of "Delivering Information Services," the school's CIO Executive Education program.