We Need Action, Not Strategy, Said No Security Expert Ever

Forrester's Targeted-attack Hierarchy of Needs

Forrester’s Targeted-attack Hierarchy of Needs

Bruce Schneier’s recent post on Al Qaeda’s efforts to create their own encryption software had me shaking my head. They were making a very fundamental error that a lot of companies also make, even though Al Qaeda isn’t organized in a corporate fashion.

Forrester’s recently published Targeted-attack Hierarchy of Needs perfectly illustrates the Al Qaeda error and one that your corporation may be making in addressing security issues.

Can Al Qaeda (or your corporation) develop encryption that is unbreakable by the NSA, GCHQ, or China’s National Security Committee? I’m not very optimistic, even though they (or you) might have some very smart cryptologists on staff. As Schneier points out, open-source solutions have the advantage of study by anybody who cares to take the time to do so. As the flaws are found over time, the risk of a major undiscovered bug goes down. (Although certainly not to zero, as we’ve seen in Heartbleed.)

Al Qaeda’s error lies in prevention without a focus on the fundamentals and a security strategy. It’s a direct result of the “problem/solution” problem.


The Fundamental Mistake: Leaping Into Action

Al Qaeda needs to continue to operate, but they’ve learned that basically every communication channel they use short of cuneiform clay tablets has been compromised by the NSA and other security agencies. The response appears to have been “Action!” Again, a very corporate approach to the problem.

If developing their own encryption algorithms is indeed what they are doing, they’re operating at the Prevention level of Forrester’s pyramid.  It’s the same thing a lot of companies do. Add more hardware, do deep packet inspection of everything coming in and out of your network, and then have your IP walk out the door via a low-tech social engineering  effort.

I’m pretty sure Al Qaeda doesn’t have the trained PhD level cryptologists and software engineers to go head-to-head with national security agencies, nor the infrastructure to implement whatever they develop. You should ask yourself–does your company?


What Does This Have to Do With Marketing?

The mistake of leaping into action happens a lot in marketing. It’s easier to make the mistake because marketing (usually) doesn’t include complicated mathematics. I call the situation the “problem/solution” problem. Many times you’ll be in a meeting to discuss a problem. Even if it’s not on the agenda, the meeting devolves into a solution-finding meeting.

Even if the problem isn’t completely defined or agreement that there is, in fact, a problem.

You have to start with the fundamentals and work your way up. Don’t dawdle, of course. But jump to conclusions about the solution and you’ll find yourself solving the wrong problem.

Just like Al Qaeda, who should probably be putting most of their focus on old, non-digital communication channels instead of trying to out-encrypt the NSA.

What’s next? I’ve got a few posts on how the scientific method works in marketing and how the proper use of the same methodology you learned in 7th grade will make your marketing more focused and efficient.



This entry was posted in Marketing, Privacy, Security, Strategy and tagged , , , , , , , . Bookmark the permalink.