The Itsy Bitsy Security Spider

Keep on climbing

Sometimes we can learn a lot from nursery rhymes; I’ve previously shown how A Hole In My Bucket can teach us about understanding problems and how this can lead to security issues.

The Itsy Bitsy Spider can also teach us…

So what is the story of the spider?

Spider starts to do something productive
Event happens that destroys the progress
Spider starts over to do something productive

But what we don’t see, here, is the spider learning from the event. It has fixed target (climbing the water spout) and is focused on achieving that goal.

Now we see similar “event happens” in our lives.

Management change

A common one in large enterprise environments is a change in management. The new hierarchy want to stamp their authority on their department and so will pick on something and force change; they throw away the old and replace it with their favourite technology.

Except technology isn’t the whole of the problem space. Technology is easy; it’s process and controls that are hard.

So the incoming management tree might demand a replacement of product X with product Y. The engineering teams will work out how to get product Y working in the company; they’ll replicate existing data models, process workflows, user interfaces (request/approval/re-certification/etc).

And at the end of the day we’ll have all the existing problems replicated into the new system.

New management will have washed the spider out of the spout, but then engineering climb up it exactly the same as before. Nothing has been learned, nothing has been improved.

External attack

This rainstorm is the one we all dread. We know it will happen1 and try to limit the consequences.

So we build a solution; we have defence in depth; we have overlapping controls and processes; we have so much stuff running on machines that we chew up more resources monitoring than we do on the actual work of the company. And we still get hacked.

As part of the incident response management goes into a panic, bring in consultants to analyse the existing solution. These consultants will spend months interviewing people and writing reports… that match their existing preconceptions and recommend installing new solution.

We’re back in the same boat as before; technology change but not addressing the real problem.


What we’re really talking about, here, is a variation of “group think”. The company has a set of processes and standards to be followed and any new technology will be forced into that viewpoint. A rainstorm may force a change of technology but we’ll just rebuild in the same pattern.

It’s hard, but sometimes you need to think outside the box and come up with new ideas, rather than just new technology.

Next up: Humpty Dumpty can be put back together again.

  1. You will be hacked. [return]