Ok, we all know how to patrol in the woods looking for things to shoot. We’ve been doing that since the beginning of time, and really it’s ingrained nature for most people. Some people say that it’s why we developed bigger and better brains–so we could hunt more effectively.
Then the world changed. We went from being hunter-gatherers to living on farms to living in cities. And as you might expect, the amount of warfare conducted in cities has grown comparatively, from the Meistertrunk of Rothenburg in the middle ages to the burning of Atlanta during the Civil War to the Rattenkreig of Stalingrad to the mean streets of Baghdad. Truth of the matter is, nowadays cities are where the critical infrastructure is, and that’s where a modern army needs to learn how to combat and win against their enemies. In the US Army, we have a word for it: Military Operations on Urbanized Terrain, or MOUT (the department of modernization just told me that it’s now “OU” or “Urban Operations”).
One lesson from MOUT that there are many ways to kill people. Yes, you can shoot them (the good ol’ standby), but there are new ways: “anti-handling devices” (aka, booby traps and IEDs), channelization of traffic into better kill zones, better line-of-sight for snipers, ability to hide ambushes, short engagement ranges for anti-armor teams, etc.
In MOUT, you have to live with the fact that heavily barricading a building means it’s harder for the bad guys to get in and it’s also harder for you to get out if the building is on fire. It’s something to think about in the IT world where protecting against one type of attack means that you are susceptible to another attack: think dual-homing all your servers on a backup network to help with availability but meaning that if one server gets hacked, it’s a shorter path to the other servers.
Just like MOUT, there are many ways to “die” in the IT security world. Let’s see, this year it’s XSS, Ajax attacks, and USB drives. 5 years ago it was worms, virii and unpatched systems. Next year it will most likely be application vulnerabilities.
Now welcome risk management into that picture. Risk management means being able to triage the “bazillion ways to die” and come up with a list of the ones you need to fix now, the ones you need to fix over the next year, and the ones it doesn’t make sense to fix. In MOUT, it’s a question of “Do I spend the time putting in more wire and mines,” or “Do I need to work on blowing holes between rooms so I can move people and weapons internally?” or even “Which parts of the city do I rig with explosives and give away to the bad guys because they have no strategic value to me?”