Flip The Script: Let The Attackers “Win”

April 5, 2023

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us


No offense, but we think virtually everyone is doing it wrong… information security that is, and specifically data security.

Or, we think how most organizations go about prioritizing their limited financial and human resources — and more importantly, their limited time and attention — backwards.

Permit me to explain.

Many organizations are stuck in a futile “threat-vulnerability-attack-risk-countermeasure” cycle. As an industry, we’ve literally transposed the phrase “cyber security” over “information security” — and assumed (at best) that the two were equally important, and at worst, that Internet-borne bad actors and attacks deserved the lion’s share of our attention.

They are not equally important.

After almost 17 years helping organizations mature their data risk management initiatives, we remain more convinced than ever that there are only two asset classes worth your strategic focus: 1) data and 2) people. And, that all other assets fall somewhere on a continuum of “not worth protecting” to “reasonable best effort protection” (after prioritizing data and people, that is).

Resilience is the New Black

What does sustainable data- and people-centric focus look like 2022? Resilience.

In this more enlightened worldview, we have a clear, prescriptive, and mature posture, where attack prevention isn’t as important (or urgent) because the objects of those attacks are known, understood, classified, backed up, secured/protected, recoverable, and restorable. And, in the case of people, trained.

And those other assets, like applications, networks, devices, endpoints, cloud workloads, structured data facilities, perimeters, etc.? We can down-prioritize them, as operationally critical assets — but not STRATEGICALLY critical assets — and alter their protection schemes accordingly.

I said to a customer once: “In the castle, we don’t protect the crown jewels or the Queen’s life like we protect the pots-and-pans in the kitchen. Not to say cooking dinner isn’t important, but it’s not an existential dilemma if we skip it.”

The others stuff? They may show up on an asset report, but if you’ve prioritized data and implemented controls correctly, their individual (or collective) compromise shouldn’t impact your organization.

In other words, let the attackers have them — you don’t need them.

The Scourge of Ransomware

An example I give to healthcare clients concerns the ramsomware attacks that brought multiple hospitals and providers to their knees in 2020 and 2021. These attacks typically started with attackers securing a network foothold (often via phishing), then reaching laterally across the network to cripple clinical, registration, or others systems’ availability through encryption of primary application data stores (as opposed to the application stack or infrastructure layer itself).

Flip the Script

The issue is many if not all of these healthcare organizations hadn’t done the upfront data risk assessment and preparation work needed to be able to make rapid response decisions in the moment. They spent precious hours and days figuring out what happened, to which systems, and who had been affected… and once all that information was collected, finally discussing the important questions:

  • How should we react to this?
  • How difficult will it be to roll back?
  • What do we do in the meantime?
  • Should we pay the ransom?

Meanwhile, their operations either ground to a complete halt, or reverted to some pre-Computing Age version of itself. Costs piled up, reputations suffered, but most importantly: patients were not able to receive the level and quality of care they needed and deserved.

Instead, they could have been executing a series of pre-defined actions.

Frame the Work

You need to frame out this work to have a reasonable chance of success. However, most existing frameworks are cyber-, infrastructure-, or network security focused.

Our DataRAMP (neé Data Risk Management Framework) sets up an organization to make deeply informed, thoroughly considered, comprehensive, prescriptive, ongoing, program-centric governance and risk management decisions about data risk. What data they MUST have, along with the why, when, how, for whom, and during-what-sorts-of-situations considerations.

DataRAMP evaluations are used to build out decisioning into roles and responsibilities, a tech stack, data protection controls, correct configurations, operational playbooks, and disaster recovery “break-the-glass” procedures, among other support scaffolding.

And then we practice it, as though it were an order to “battle stations” on a ship at sea. Because that is what it is: wartime preparedness training guided by a clear strategic vision and consensus approval from executive stakeholders.

After adopting this model, this mindset, and employing DataRAMP correctly, when organizations are next caught up in a ransomware attack – which we all know they will be, perhaps many times in the future – the process of restoring data, and access, will be orders of magnitude faster and less painful than it was before.

They can get back to that “last known good state” in record time.

Ultimately, it makes avoiding attacks less important (which is good, because we can’t win that battle no matter how hard we try) and focuses efforts where they can have the greatest effect.

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022