Metcalfe’s Law said the value of a network grows as the square of the number of its “compatibly communicating devices” increase.
Typically the presentations of Robert Metcalfe’s idea replaces “compatibly communicating devices” for “users” or “machines” according to Simeon Simeonov. Yet that’s an important nuance because while networks connect users, the proliferation of the IT infrastructure brings along other challenges.
In his piece, Mr. Simeonov notes a large network “introduces friction and complicates” connectivity, identity management and provisioning among others. Today, network security is an obvious addition.
Indeed, mobile devices, BYOD and the cloud have added to the potential value of a network as well as the risk. It’s created a wider surface area of attack and added complexity to the IT infrastructure.
So, given nearly every enterprise with any history has added more and more compatible devices over a long period of time, when does it make sense to create an entirely new network security strategy rather than update the existing one?
We propose there are three high-level triggers and those follow below.
1) The first trigger is driven by business change.
Organizations today are more dependent on their networks to conduct business. For example, the business needs the network to sell products, to conduct electronic financial transactions, and to communicate with its customers and suppliers.
In addition, what’s being stored on the network today is far more valuable. You are putting digital assets there like money, trade secrets, competitive or customer data that makes it more attractive to hackers. This means your network security strategy has to both enable business – and protect it from data theft.
The business is also storing more data that is considered sensitive and personally identifiable information (S-PII) which brings additional costs. Businesses have to worry about European standards; HIPAA compliance if they are in healthcare; PCI data if they process credit card transactions, and the list goes on and on.
If a network gets compromised, the cost to the business is more than just the information loss. There are going to be fines. The breach will be in the news, so the brand and reputation are going to be impacted. There are likely to be legal fees and fees associated with the fallout such as the potential for credit monitoring fees or related costs.
So, when the business undergoes a significant change that should prompt you to think about your network – and how you protect it – differently.
2) The second trigger is driven by the security organization.
Security comes to the realization that its current network security strategy isn’t working anymore. For example, you might have been hit by ransomware, experienced data theft (exfiltration), or faced some type of direct asset theft. That’s when security teams come to terms with the notion they don’t really know what’s happening on the network.
It doesn’t take an incident to come to this realization either. This can stem from organic growth, for example, supporting additional employees, or integrating networks and system following a business acquisition. All of a sudden this initially well-architected and well-designed network has evolved dramatically into something far more complicated and less understood.
Consequently, security realizes it has network blind spots, unprotected areas or inconsistent policies. For example, you may find you’ve got three different firewall solutions, and while the policies may look the same, various technologies might implement those policies differently in practice.
3) The third trigger is when circumstances have changed.
This happens naturally as a result of an evolving security strategy. You hit a point where you need to add many new technologies all at once. You might run into this for example, when a legacy security system is coming up for renewal and price has been increased or a solution you use has reached its end-of-life.
Other cases we see might be when the burden of running a large number of technologies has reached a breaking point. A more integrated view of network security and less onerous management burden would be welcomed. These examples are perfect times to consider the entire security strategy rather than just the new items that you might add.
Those are the high-level triggers are fundamentally tied to the business. The business has changed and evolved to an extent that it prompts the security team to reconsider how they are protecting the network.
* * *
Metcalfe’s ideas are attributed (along with Moore’s Law) for bringing us the networking protocols that made the Internet possible. Maybe security wasn’t a priority in the formative years, but few could have foreseen the extent of the security challenges we would face today.
Indeed, on the recent 30th birthday of the Internet, Sir Tim Berners-Lee himself acknowledged it “is impossible to eradicate completely” the “deliberate, malicious intent, such as state-sponsored hacking and attacks, criminal behaviour, and online harassment.”
If we can’t eliminate these, the next best thing is to manage the risks by evolving your network security strategy.
If you enjoyed this post, you might also like:
Network Visibility: Can You Analyze Encrypted Traffic for Cybersecurity Threats?