Newton’s Laws of Motion: A Reflection of Today’s Computer Security Landscape
by Shoaib Yousuf, Managing Director and Partner, Boston Consulting Group (BCG)
Contrary to popular belief, an organization’s IT security is not a default enabled setting. Actions must be taken before an organization can claim that its business is secure. The corollary to this is that while an organization may have policies, procedures, and technology in place for it to consider itself safe, that state will only last as long as it is not degraded by external forces. This image has interesting parallels to Newton’s laws of motion, which have formed the foundation of classical mechanics since they were first stated by the famous scientist in the late 17e century and led scientists to an awakening in the way we understand the world and move through it.
The first law of motion states that an object will remain at rest or in continuous motion (inertia) until acted upon by another force. The second law states that if it is acted upon by said force, the rate of change of its momentum will be equal to the size of the force. And finally, the third law states that all actions will have equal and opposite reactions.
Organizations can gain valuable perspective from the story contained in these three simple statements. Like anything with mass, they too will remain in inertia, or in a state of insecurity, until attacked. To have adequate security, they must adopt a speed of change equal to the perceived threats. Indeed, for every incident, an equal and opposite reactionary measure will be needed to mitigate it.
Why early action doesn’t work
Security (or bad security) is, more often than not, a series of reactionary measures put in place by organizations that do not take the time to develop a holistic security solution that incorporates risk and reward measures. Typically, it is the result of one person in an organizational “food chain” under the heat of someone else above them. This heat trickles down until someone does something to make it look like an action is taking place, no matter how effective that action. This creates the perception of a uniform level of security protection for the organization, and routine maintenance gives the additional impression that adequate provisions are being made to overcome the negative influence of outside forces.
The majority of organizations that attempt to effect change as a result of an incident response yield little long-term safety benefit. Organizations and their decision-makers who have dealt with such incidents must ask themselves some difficult questions: Was the incident foreseeable? Was there no way I had thought about the possibility of this type of incident in the past? Could policies or procedures to mitigate harm have been implemented if the budget, resources or time to implement them existed prior to the incident?
How to build a sustainable security framework for your organization
There is another parallel that begs to be drawn from Newton’s law of gravitation: each particle attracts another with a force proportional to the product of their masses inversely proportional to the distance between them. Mathematics aside to put the situation more simply, a large organization can expect to attract threats based on its size, especially if it is already particularly vulnerable to them.
Security measures that need to be implemented hastily will always consume more resources than proactive, rational, and thoughtful security measures that are implemented over time. Analyze your risk scenarios and implement measures to mitigate risks before they arise – and make sure you spend enough time doing so.
If organizations plan ahead, work to mitigate risks before they arise, and provide training and awareness of security measures and policies, they can reduce the negative impact that hasty reactions can have. . It’s impossible to completely eliminate reactionary thinking, but rather than letting reflective decision-making dictate their course, organizations should use it to strengthen their position by implementing policies and procedures that improve security processes at long term.