In physical world, an architect is “a person whose job is to design new buildings and make certain that they are built correctly”, Cambridge.

If this definition applies to digital world, the system architect is to ensure the system is built correctly per business requirement. Extending to cybersecurity, the cybersecurity architect is to ensure proper protection is incorporated in the digital landscape.

Most often, cyber protections are overkilled. I come across an example that USB thumb drive carrying publicly downloaded security patches requires encryption because company policy only allows encrypted drive. On the IT side, there is no issue because patches are downloaded from IT machine with Internet access. But when transferring files to the OT side, it will create issue because decryption will need running special program in the USB “public” drive where OT environment is lock down. Further, the objective of encryption is to protect sensitive information in the USB because contents could be disclosed when lost. If dedicated USB drive is solely for transferring publicly downloaded security patches to a lockdown environment after media sanitization, this encryption is unnecessary.

We must challenge cybersecurity practitioners why unnecessary controls are needed.

Leave a Reply