Tuesday, March 3, 2015

Good Things Come in Small Packages

Recently, during a discussion on Twitter, Richard Bejtlich asked me to blog about my experiences working with the Estonian Cyber Defence League (Eesti K├╝berkaitseliit).  I visited them for a week back in 2009, and I was quite impressed with what I saw then.  I have no doubt that they have made great progress in the six years since.

The lesson I would take from my time in Estonia is that good things come in small packages.  Small, technologically advanced countries enjoy a few advantages in information security.  Here are just a few of them:

Being Nimble: Information security moves at a relentlessly torrid pace.  The threat landscape changes constantly.  A hulking bureaucracy has no chance.  A nation that is small, while having fewer resources, can also be quite agile and use those resources more efficiently.

Recruiting: Small countries generally have small information security communities.  And within these communities, everyone usually knows everyone — or at least everyone worth knowing.  This can lend a huge advantage to recruiting efforts for a Cyber Defence League.  It reduces the time and expense of finding the right people, as well as the risk of making the wrong call in recruiting.

Training and Education: Small countries generally have much more centralized education systems at all educational levels.  This lends itself well to both influencing curriculum, as well as to identifying talent.  Facing a shortage of skilled information security professionals?  Grow them organically.  This is much easier done in a small country than a large one.

Visibility: Before a given asset can be protected, we have to know where it is. Because smaller countries have fewer assets in general, it is much easier to keep track of them.  Want to protect all of the electrical substations or network ingress/egress points in a small country?  Probably doable.  In a large country?  Good luck finding all that stuff.

Humility: Small countries generally understand that they cannot go it alone.  As such, they are much more likely to learn from others and work collaboratively as part of the larger information security community.  They are also much less likely to have a “not invented here” syndrome.  This comes in quite handy when building and operating a Cyber Defence League faced with the tall order of protecting the nation’s critical infrastructure.

Implementing Changes: In a small country, once a decision has been made to implement a change, it is generally much easier to do so.  There is simply less bureaucracy, friction, and inertia to overcome.  That can make it much easier to bring about meaningful change within a realistic amount of time.

These are just a few of the many reasons good things come in small packages.  Although larger countries have more resources than smaller countries, they can learn a lot from their smaller counterparts.  Something to think about if you are involved in cyber defense in your home country, wherever that may be.

No comments:

Post a Comment