Building the Unsinkable Company

Tragedies happen and are mainly out of our control, but sometimes we can learn from them. The Titanic was a model of modern technology, the Unsinkable Ship. Watertight bulkheads divided the hold so that the damage would be contained if there was a breach. Unfortunately, a fateful turn caused the breach to be too large for these defenses. Tragically, other safety measures were shortchanged based on the confidence derived from the bulkheads resulting in disaster.

It is worth noting that hindsight is always 20/20, trade-offs were made based on circumstances and business needs (happy customers), and that different people can have different risk tolerances. The safest ship would be one sitting on land and not moving (kind of useless).

Security Analogy

The watertight bulkheads divided the hull into separate sections so that the hole (breach) and water (hacker) could not access the entire hull without resistance. Role-based access control divides access to your systems so that a single compromised credential cannot flood the company. These bulkhead controls need to be maintained and checked for leaks even in the absence of water so that they will work when required. In the Titanic’s case, it might have made sense to extend them further up into the hull. We must ensure that we fill the entire gap and are configured correctly.

Compliance Analogy

There were not enough lifeboats to rescue because they would have taken up space and crowded the beautiful deck. This decision was made, and time proved it wrong. Requirements, especially regulatory requirements, should be looked at, met, and monitored. Lifeboats need to exist and also be maintained in functional order.

Governance Analogy

The first lifeboats were not full. There was no clear, understood process rolled out. Instead, there was a certain level of panic and disbelief. Internal processes must be created, maintained, and executed during a crisis. That did not happen here. Companies need internal processes for avoiding and handling issues.

Security GRC & Assurance

For most of us, these concepts and consequences are not life and death but instead have to do with money and reputation. The responsibility for managing risk sits with different teams and different tools. A method to step back and bring everything together is required to understand the entire situation and effectively plan for various outcomes. Security GRC & Assurance does just that. It brings everything together. Security and GRC controls are monitored and maintained to ensure everything is set up and functioning correctly. Once this visibility is achieved, prioritization and redundancies can be planned and executed on. Different teams will no longer be working in silos to achieve the same goals ultimately.

Start at Design

One might argue that redundancy and safety are best addressed by separate teams attacking the same threats ensuring redundancy by default. But this contributed to Titanic’s issues. By having the safety measures added later by a separate team, there was not enough room for the lifeboats without crowding the deck and the wealthy customers. Safety was not integrated into the design. A unified approach allows all stakeholders and issues to be considered together and implemented at the design stage.

Conclusion

In short, it is time to integrate Security and GRC. This integration will allow Security and Compliance to shift left to a Security and Compliance by design end state.

ComplianceCow is the first integrated Security GRC & Assurance Platform of this kind. It is an automation, orchestration, and collaboration platform built to easily connect disparate systems, collect data from those systems and, most importantly, allow the user to take action based on that information.