• United States



Four things a Scout campout teaches us about security

Jun 20, 20115 mins
Data and Information Security

I recently joined my oldest son Sean on a camping trip with his Cub Scout pack, and it poured relentlessly the entire time.

A day of sports, hiking and storytelling beneath the stars turned to mud. But as it all went to hell, I realized there were lessons to be learned — lessons that apply to the security industry.

These are not perfect, scientifically and logically air-tight observations.

It’s just a lighthearted look at some of the things that occurred to me on that rainy day.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Lesson 1: Be prepared

This is a good place to start because “Be Prepared” is the Boy Scout motto. Laying out one plan will never do. You have to plan for any and all eventualities.

If you’re a scout, you have to plan for bad weather or supplies going missing. Taking hikes can lead to sprained ankles and you have to be prepared to cook up an improvised medical solution.

If you’re a security professional, writing a security program and saying it’s implemented is never enough. The bad guys will constantly look for holes in your carefully-constructed policies and technology. Users will inadvertently fall through security holes you didn’t know existed.

To be prepared, scouts need a layered plan. To survive a security incident, businesses need a layered program.

Lesson 2: Even when prepared, things will go wrong. Adapt

Even if the scouts have a plan for what to do if it rains, things will still go wrong. The fire may get washed out even if you keep throwing fresh wood on it. Tents you thought would withstand a deluge will still collapse.

You might bring a spare pair of socks in case the ones on your feet are drenched through, but if there’s A LOT more water than you expected, the spare socks will not escape a soaking.

In the business world, you might have a back-up plan in case your security machinery goes on the blink or one of your best IT guys calls out sick in the middle of a network migration.

But what if two people get sick (think pandemic planning) and you’re left with one person to hold everything together? It’s never enough to have one back-up plan. You need several options at all times.

Lesson 3: If all else fails, feed them

When a group of scouts is cold, wet and bored, the adults are in deep trouble. Anarchy is at hand. But give them a lot of comfort food and they will cheer up immediately. On our outing, the scout master cooked enough to feed two Army divisions. Everyone huddled under a big tarp and had their fill.

In the business world, if you suffer a security breach and hold back the details, your customers get itchy and irritable. Then the lawyers and investigators circle you, fists clenched because you won’t tell them anything or at least give them a cookie and some coffee while they wait for you to figure things out.

They become a lot like the bored, cold and wet scouts. Don’t let this happen.

Satisfy everyone’s appetite for news by being as open and honest as possible when you realize the breach has occurred. If you know where the bad guys got in or which customers are affected, say so immediately. If you don’t have answers, simply say so and keep everyone in the loop with daily updates. And if they still get restless, give them a cookie, so to speak.

In this case, something of value in return for what they’ve lost in your security failure. One piece of advice: Free credit monitoring won’t cut it. That’s like giving drenched, bored scouts tofu to make them feel better.

Lesson 4: Never let untrained children mess with electronics.

On a scout outing, there is usually a pair of walkie talkies lying around so the leaders can communicate if groups get split up. Kids will inevitably get their hands on them and have fun. They’ll mess with the channels and, without realizing it, say something on the police channel that might make the local cops uneasy.

The police appear looking for a disturbance and find it’s just kids having fun. To the police, this is the equivellant of a false positive.

In the business world, employees often don’t know what they’re doing when they first get their hands on a company laptop of smartphone. Somewhere in the process of looking at porn and falling for pump-and-dump stock schemes, their machines get infected.

Just as you may have to take the walkie-talkies away from the kids, sometimes you have to take away access to certain sites and programs to keep employees from wandering into dangerous territory.

You give them only what they need to survive.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a