BOTH SIDES OF THE COIN

Security is hard. Not the first time I say this, but I wanted to say it again, up front and center.

Today this fact is even more of a thing that we, as security professionals and as users, need to keep in mind. In order to have a good security program you need to move past the defense-only mindset and begin to think differently. There are two sides to security, and both are needed in order to have a successful, resilient program.

In order to defend your assets, you need to first understand what your assets are, and how they can be exploited. The more you understand your environment (physical, digital, cultural and social), the better you'll be able to understand your priorities and focus when setting up your defenses. On the other side, you also need to understand who will attack you, who will try to get to those assets, and how. Understanding who the adversaries are, and how they will mount an attack will provide a good look into how your defenses are set up. Understanding the attackers will bring you clarity about your own team, your own policies and best practices. It will force positive change.

Fail to do either of these things - understand your environment and understand your attackers - and security will fail. Maybe some of the attacks will be avoided, but a well organized, focused and determined attacker will always find a way. You have to be ready for that. You have to stress-inoculate yourself, your team and the organization in general.

Always look at both sides of the coin.

(Note: a slightly different version was originally published at the Advanced Capabilities Group blog)