Deconstructing Defensible - Defensible is not the Same as Secure

In my previous post, The Castle has no Walls, I introduced the concept of 'defensible' as a goal for enterprises to replace the notion of secure which I fully believe is an outdated and broken descriptor for anything in today's hyper-connected, modern world. This post and the few that follow go through the five basic ideas behind defensibility and why defensible is a state we should be striving for as enterprise security professionals.


This is the first of 5 blog posts explaining the core concepts of 'defensible'.



Defensible is not Secure


While apparently not everyone agrees, the term defensible is a much more appropriate term when describing your enterprise posture. There are a few reasons for this, but at the core of this we must understand that the term 'defensible' is not concrete and does not imply a binary state. Unlike secure, which does imply a binary state (you're either secure or you're not), defensible offers no such promise. Let's be honest though, anyone who truly believes anything is really secure just has to wait a few minutes until they're proven wrong...


This leads me to the major problem I have with the word 'secure' - there is no such state. If we're honest with ourselves and our businesses, we have to admit that there is no such thing as 'secure.' In order to mitigate the problem with the binary state of secure, we add modifiers such as "reasonably secure" or "inadequately secure," but those are not well accepted when the board room demands an assurance of security.


"Defensible" on the other hand, does not give assurance or imply any concrete state. This fits the model of the hyper-connected world we live in where at any given time anything can be broken with enough cycles or scrutiny. Defensible is not a guarantee, or an assurance against hacking or a breach - and I think this is the most important point. While 'secure' is used as an assurance that a breach will not befall our enterprise, defensible is something else entirely, and makes no such guarantees. I can already hear people cringing...



What does Defensible Mean?


So, if defensible doesn't give us a guarantee against being hacked or breached like 'secure' does - what does it imply? What guarantees does 'defensible' provide us?


I think that defensible is even a stronger word than secure if you look at it right. Defensible means that you've positioned the right defenses in the right place, at the right time, for the right reasons to defend against the right adversary. Defensible also means that your environment, infrastructure is built such that it can adapt to failure when/if it happens. Yep, that's a lot of things that have to line up without guaranteeing you won't get breached. Josh Corman has a pyramid model that has "defensible infrastructure" as the base for a strong security program. This is the absolute truth.


Defensible is a stronger concept than security because it has one magic component that 'secure' lacks - the built-in ability to detect, respond, restore from malice.


Whereas 'secure' tends to focus on prevention of a breach, defensible focuses as much on prevention as it does on adjustment, detection, response and restoration of service. Therein lays the magic. You can now tell your CEO or board that while you will continue to allocate resources to prevention, you acknowledge that it's impossible to be 100% secure. You'll now strive to be defensible. Defensible means that you've designed your infrastructure to be able to patch when needed without business disruption, to adapt to adversaries and changing technical and business conditions, and contain a breach-in-progress.


Admittedly, it won't be simple to just tell the Chief Executive of your enterprise that you can't guarantee an absolute level of secure. I also believe that rational people understand this, and if your executives and board are worth their salt, they'll also understand, if you present this properly.


While defensible is not secure. I believe, in fact, that it is better and more appropriate for the enterprise.


In the next post we'll tackle why it's impossible to 'defend everything'... Stay tuned!

Richard Steven Hack(anon) | ‎03-12-2013 06:08 PM
I have a meme that I repeat ad nauseum to anyone who will listen: "You can haz better security, you can haz worse security. But you cannot haz 'Security'. There is no security. Deal."
Mark Nunnikhoven(anon) | ‎03-13-2013 07:48 PM

I completely agree with your positioning here and I think it's a more logical approach. Something as simple as the choice of wording shifts the mental model we you point out the binary secure/not secure switches to a more reasonable and--ahem--defensible position.


When I read you're line "I think that defensible is even a stronger word than secure if you look at it right" I immediately thought of the more cynical tack which I think is just as valid if not even more useful as a definition.


To me, defensible implies that you've put the organization in the best possible position to fend off an attack given the current set of constraints and information.


That would lead away from the "right" defenses at the "right" time against the "right" adversary as you put it. To me the "right" implies the correct choice regardless of constraints. Instead we have the--admittedly less catchy--best available defenses at the most logical time against the most probable adversary. 


Not much of a sales pitch but more realistic IMO.

TestWithUs(anon) | ‎05-22-2013 05:31 AM
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation