Imagine a huge, teeming festival. The swarming crowds are all keen to see as many musicians and bands as possible. They all gather at a large meadow. Given the current threat situation, the security company has been instructed to proceed meticulously and so it has hired a few dedicated stewards. Deployed at the northern gate is a veritable giant from Ukraine, 6’5” tall, 6’5” wide, with hands like frying pans. At the eastern gate stands a Japanese gentleman, significantly smaller, but more agile and experienced in martial arts. A Latin American guard – a former drug squad specialist – has been sent to the southern gate, while the western gate is in the competent hands of a true Scot and world champion in tossing the caber. All of them can look fearsome and overpower an attacker when necessary. In a nutshell: They are all specialists in their own rights! But there’s one thing they can’t do: Communicate with each other. After all, they lack a common language to understand what the other person is saying and to report dangerous situations at the gates they are guarding, perhaps even in a zone in-between. They might even be reliant on digital radio and will be completely flummoxed if it happens to fail.
Besides stable, standardized means of communication, it would be good at this point to have one person who speaks all the different languages and who is able to provide faultless and simultaneous interpreting. Maybe even someone who could help if the Japanese guy is off sick and will be replaced with a proud Maasai from Kenia.
Another, potentially better way of doing things would be to deploy resources that all speak one language and that use a common communication system. Perhaps not all of them would be world-beaters in their particular areas; instead, we might “only” have a large number of very good people … but they would come with the benefit of being able to communicate quickly whenever it is necessary.
Probably you can guess already: My music festival is just an analogy to illustrate the challenges associated with designing an IT-Security infrastructure. Designing? – Well, it sounds so conclusive on the one hand. But on the other, I’m constantly running into customers from the industrial and public sectors that do not consider the issue of IT-Security from an end-to-end perspective and instead adopt a modular approach. Put succinctly: As a patchwork issue. They continue doing so despite an increasingly fraught cyber-threat scenario that has become more intense, targeted and destructive than ever before.