You can't secure what you don't acknowledge.SM

Wednesday, November 5, 2014

Car racing and security breaches, you're not as ready as you think you are!

This past weekend I had the opportunity to run the race of my life - a 90 minute enduro car race in my Spec Miata - held at the America Road Race of Champions at Road Atlanta in Braselton, GA.

It wasn't the most competitive race - there were only 17 entries, 14 that made it on track...I've raced with over 60 cars at once. 

It wasn't the most stressful race. That award goes to the motocross races I ran at the Loretta Lynn's Amateur Nationals back in 1987.

It wasn't the most physically demanding race either - sustained heart rate of only ~145bpm - much lower than what motocross required of my body.

It was, however, a race that I feel like I wasn't fully prepared for.

I started training for this race months in advance - both mentally and physically. The preparation in the weeks and days leading up to this race were especially measured. I even had to scramble to get information from my fellow racers and race team during the final hours on Sunday to figure out what to do during my pit stop, as that was my first real one (outside of the arm chair pit stops I do watching F1, IndyCar, etc. races on the weekends).

Yet, still, nothing prepared me for the mental exhaustion, the leg pain, the loss of gross motor skills I'd experience during the race. That stuff was real.

I didn't think I'd run out of water in my drink bottle either...I did, just 30 minutes into the race. I most certainly wasn't prepared for how quickly the mandatory five minutes would pass during my pit stop - the fastest five minutes of my life! I didn't have enough sense of urgency during my own biological pit stop so in rushing to get back on track, one of my harnesses and my HANS device weren't properly fastened - something I had to fix while back out on track. That cost me a position in the race.

Sadly it was ~59 degrees outside. I can't imagine doing such an event in the heat of summer! I definitely learned the value of the CoolShirt system that many of my competitors were wearing (and recommended to me :-). My wife doesn't know it yet, but I now have one on my Christmas wishlist!

I digress.

I'm sharing this story with you because my experience in this race reminded me of what it's like when a data breach occurs. As the saying goes, experience is something you don't get until just after you need it.  I thought I was overly-prepared but given that it was my first 90-minute enduro, I quickly learned from the experience that I wasn't...I did what any self-respecting race car driver or CISO would do afterward: made a lot of notes on what to do differently next time.

Be it a car race or a security breach, things happen quickly...it pays to be ready. You can never be prepared enough. Most organizations I see have done little to nothing to truly prepare for a security breach. Ignore all forms of preparation (i.e. not even having a documented response plan) and I'm convinced you're doubly-screwed. Even if you take reasonable precautions to prepare for security breaches, well in advance like I did for my race, you're still going to get caught off guard by some things and have to learn along the way.

How well-prepared are you? Ultimately the choice is yours.

I ended up 8th overall in the race.

By the way, if you want to see what happens when you apex too early and your car misfires (due to an electrical gremlin) in the middle of a turn and go off at 90mph, check out this video of that happening to me during another race over the weekend. Whew...