Security, outside-in and inside-out

There’s a chance you’re reading this thinking that information security isn’t really that big of a risk; that it’s all about scaring people, and nothing is really going on. Well then, I’m afraid you’re either completely lost or in the absolutely blissful situation of being completely disconnected from modern technology. If it’s the latter, lucky you. If it’s the former, rather than continuing to read this blog, I would advise you to first catch up on a few others. And then quickly shut down your computer.

The key element to protecting yourself against cyber security threats isn’t trying to prevent them all, but acknowledging that it will happen to you. The only thing you can do is reduce the likelihood as much as possible and ensure that when it does happen, the impact is as minimal as possible.

In risk management, there are typically four fundamental approaches to handling risk, and they are (for me) easiest to remember as the four Ts: tolerate, treat, transfer and terminate. For many threats, tolerate won’t be an option and your business model may not allow you to terminate that particular part of your business. Transferring it, by insuring it, for instance, may be overly expensive, impossible, or come with too many side effects (e.g. reputational damage). So, in many cases, you need to be treating it; you need to deal with it.

When treating a risk, you first need to know your exposure in order to know where to expend your efforts. Fundamentally, there are two ways to find exposures, which I’ll summarize here for the sake of simplicity as “outside-in” and “inside-out.” The most common and well-known way is outside-in, which can be disrespectfully described as an intelligent way of banging on doors and see if they open. This is what ethical hackers do; it’s basically the same as what non-ethical hackers do: try to get in. The other way is inside-out. This approach is more fundamental; it looks at your code, your set-up and your architecture, to identify the places where somebody could potentially get in. More importantly, you will then also learn what damage the baddies could potentially do: the data they could steal, the privacy issues you may end up with, the data that could be tampered with.

Although we highly value the outside-in approach, the inside-out approach is fundamentally stronger. When properly implemented, it ensures you minimize risks and thereby build more resilient software. We see that as organizations mature, they see more of a need for this approach. As systems become larger and complex, this inside-out approach becomes all the more necessary.

Of course, it’s best to combine both approaches. It’s perfectly fine that outside, somebody is banging on doors trying to get in, while inside, somebody is looking at the structural integrity of it all. Both approaches become stronger when they’re combined.