THE THING ABOUT SECURITY
Security is hard.
In order to have a good security program you need to move past the usual suspects, and begin to think differently. Security doesn't apply only to technical problems, and it’s not solved only with technical solutions. Security is not just a piece of software, some "mitigating controls", and checklists of things. Security is not a collection of buzzwords that cost money, that give you the cover-your-ass certification.
Security starts a lot sooner. Security is comprised of many things.
Security begins by understanding the founding principles of an organization, its culture, the people both in the organization, and affected by it, the way things are done with policies and how much those policies are written to withstand a real world security problem. It starts with a purely metaphysical problem, with shades of gray to make it even more complex. It starts with the human factor.
It is only at the very end of the spectrum that security becomes a technical problem.
Most security professionals fail to see this. They fail to understand this. Partially because the industry has trained us to be narrow minded and focused on the immediate threats, forgetting to look forward, and understand what’s out there, what’s coming. There are two sides to security, and both are needed in order to have a successful, resilient program. Each side has its own complexities, and navigating those complex pathways successfully will determine how your security program performs in the real world.
In order to solve this problem, it is necessary for security professionals to be two different people, to have two “different minds”: you have to understand the organization you are trying to defend, while at the same time understanding the adversary that will come after you. Fail to do either, and security will not work. Period.
To properly apply a defensive measure, you have to understand what your adversary is targeting, what are the most valuable assets, things that, if you deny or take away, will make your organization suffer, or fail altogether. At the same time, you need to know not only who can attack you, and how they would attack you, but also you need to understand what would be the attacker's end goal. A fact that is often overlooked, with security professionals treating all attackers the same, and putting them on the same buckets of “defensive controls”. You need to understand how your defenses would stand against all this, how your policies and people will react to the attack, and whether your organization has built-in resiliency to survive an attack, when it comes.
So, you see, offensive and defensive security are in fact one thing. They are interconnected, and you can't have security without one of them.
In order to defend your assets, first understand what your assets are, and how they can be exploited. The more you understand your environment (physical, digital, cultural, and social), the better you'll be able to understand your priorities, and focus when setting up your defenses.
On the other side, you also need to understand who will attack you, who will try to get to those assets, and how. Understanding who the adversaries are, and how they will mount an attack, will provide a good look into how your defenses are set up.
Fail to do either of these things - understand your environment and understand your attackers - and security will fail. Maybe some of the attacks will be avoided, but a well organized, focused and determined attacker will always find a way. You have to be ready for that. You have to stress-inoculate yourself, the team, and the organization in general.
Offensive and defensive security are the same. They compliment each other. They need to exist together.