Security Experts:

What the Segway Can Teach Us About Information Security

Segway Human Transporters

The Segway Can Offer More Security Insight Than You Might Realize

According to Wikipedia, “The Segway PT (originally Segway HT) is a two-wheeled, self-balancing personal transporter by Segway Inc. It was invented by Dean Kamen and brought to market in 2001. HT is an initialism for 'human transporter' and PT for 'personal transporter'.”

Most of us are likely familiar with the idea of the Segway, though fewer of us have probably tried riding one.  That was certainly true of me - up until very recently.  A few weeks ago, I tried riding a Segway for the very first time.

At the risk of an abrupt segue and a poor excuse for a Dad joke, what does a Segway have to do with information security?  Further, what can the Segway teach us about our field and improving our respective information security postures? I would argue that the Segway can offer us more security insight that we might initially realize.  It is in this spirit that I offer five ways in which a Segway can instruct us as to how to improve our security programs and security postures.

1. Self-balancing:  If you’ve ridden a Segway, you know that it takes a few minutes to learn how to control and steer it.  Until you get used to the fact that it self-balances, it feels a bit strange to lean forward and background, almost like doing so will cause you to fall.  Once you get the hang of the Segway, however, it’s actually quite intuitive and easy to operate.  In the same way, we need to build our security programs to be self-balancing, intuitive, and easy to operate.  We need to pay the appropriate amount of attention to all of our functional areas and programs, regardless of how much or little they interest us.  If we begin to neglect a particular area or one area begins missing the mark, we need to make adjustments.  We want our security program to be attuned enough to pick up on the change immediately and, at the same time, resilient enough to address it right away.  Otherwise, we run the risk of our efforts running astray and off-course far too easily.

2. Continually adjusting:  Not surprisingly, a self-balancing device like the Segway will need to continually measure, assess, and adjust its positioning to maintain stability and usability.  The same is true of a security program.  First and foremost, meaningful metrics that measure how the security team is mitigating, minimizing, and managing the risks and threats to the organization are required.  This is an area that remains a challenge across our industry as a whole.  But it is an investment that pays a high yield.  The measurements we receive from quality metrics allow us to more easily assess our progress and performance.  That, in turn, allows us to adjust as necessary, continually correcting and adjusting our course to ensure we stay on track toward meeting our goals.

3. Carefully tuned:  A Segway is a well-engineered, mature product.  All components of the Segway serve a purpose and are carefully tuned to meet expectations.  The same is true of a security program.  In order for a security program to be effective, it needs to be well-engineered and mature.  That starts at the top - with the support, guidance, and leadership of security executives and the business.  A strategy and vision should be articulated, documented, and communicated.  Buy-in from customers, partners, executives, the board, and other stakeholders should be gathered.  From there, each functional area within the security team should be responsible for properly implementing and operating its area of the vision and strategy.  This requires good leadership in each area, along with the right people, process, and technology.  Gaps should be identified and addressed continually, to ensure that the program continues in an ever-maturing direction.

4. Easy to use:  Operating a Segway is extremely easy.  This is by design, of course.  Working with the security team ought to be the same.  Security can’t be the department of “no”.  Obviously, operating the business securely is of the utmost importance.  But the key word in that sentence is the word “operating” - at the end of the day, the job of the business is to run itself.  A good security team has invested in building and maintaining relationships across the business.  Further, that same good security team has figured out how to work collaboratively with the business to help it operate more securely without being the department of “no”.  Making security more user-friendly to the business encourages the business to incorporate security from the beginning.  That, in turn, results in a more secure business, rather than a less secure one.

5. Fun: No discussion of the Segway would be complete without mentioning how fun it is to ride one.  At the end of the day, no matter how sophisticated, how impressive, and how advanced a product is, if it isn’t fun for the end-user, it’s going to be hard for it to have mass appeal.  As we look at ourselves as a profession, we can take a lesson from this.  There are many bright, talented, and experienced security professionals. There are many security teams with advanced and mature capabilities. But what we as a profession don’t have is the ability to connect with the broader world that’s out there.  Okay, security may never be as fun as a Segway. That being said, we don’t need to remain an obscure and misunderstood profession. What’s stopping us from clearly communicating some of the principles and knowledge that drive us as security professionals to a broader audience in terms that they can understand and relate to? I’ve always believed that if we can promote security in terms that the broader world can understand and relate to, we stand a chance at making a difference.  The power to create a more secure world, it seems, is in our hands.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.