Security Lessons from Nature –
The Blue Glaucus, also known as the sea swallow, blue sea slug and blue ocean slug (’cause one name just isn’t cool enough for this sucker) is, as Wikipedia says, a pelagic aeolid nudibranch, a marine opisthobranch gastropod mollusk in the family Glaucidae. Which is fancy sciency way to say it’s a slug that lives in the ocean. (If you like to geek out on sciency stuff (like me), read this, and this and this.)
What makes this little critter particularly interesting is that it eats Portuguese Man o’ Wars (should that be “Men o’ War”?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, ’cause they’re cool too)). It can then concentrate the cells of all the Portuguese Mens o’ Wars it eats and thereby pack a stronger wallop than the original predator.
Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That’s not to say that commonality isn’t important… no acquisition is going to work out if you don’t share common proteins. However, a strategic acquisition isn’t going to be massively successful unless you can take advantage of and preserve the uniqueness.
The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn’t it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.
Of course, the other lesson to learn from Glaucy is that it’s not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that’s best practice right?
Best practice is protecting the business. That means making the business as successful as possible. I’m afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.