Kevin Beaver's Security Blog

Crashing race cars and preparing for incidents that have never happened

Just over 17 years ago, on 9/11, we witnessed what it was like dealing with something that had never occurred. I remember thinking at the time and it still rings true – it’s hard to protect against something that’s never happened. Little to no clues, as far as we know…massive destruction on a scale we never expected. That’s the tricky thing about terrorist threats and, on a much smaller scale, this challenge can impact IT and information security. I personally experienced an unexpected event recently when racing my car. It’s somewhat baffling but, essentially, my car connected with that of a fellow competitors and we both drove our cars into the wall as you can see here:

Now in my sixth year of racing Spec Miata in SCCA, I’ve had quite a few offs and some light bumping and banging but I’ve never gone off the racetrack in this way. We are trained to let go of the steering wheel when we see that we are about to hit something. The bad thing is, I didn’t think I was about to hit anything. I knew my fellow competitor was close to me on the right but I didn’t think about centrifugal force pulling him into me at the bottom of this hill and 100 mph would cause us to hook up and go off like we did. So, I didn’t see it coming and had no time to prepare! [By the way, if you want to see what 100 mph of wheel locking force being redirected back up into the steering wheel is all about, watch this video in slow motion by clicking on the gear icon or the three dots and changing it to 0.25x speed. YOWZERS!]

Lesson learned: you can prepare as much as you want but there’s always going to be something that catches you off guard.

Of course, this was much less impactful than the 9/11 event and certainly not as dramatic as a security incident or breach. Still, it underscores the reality that we can’t possibly be prepared for – or protect against – all possible negative scenarios. That said, in the context of IT and information security, most organizations still have low-hanging fruit on their networks that must be addressed. Smaller scale incidents like my car crash are no fun, especially given the repair costs and risk of injury…thankfully I’m okay! You just have to know that if you put yourself (or your systems) out there, something’s going to happen eventually. It’s what you do to minimize the impact that’s important. My racing gear did its job and I walked away with only a tweaked wrist. It certainly could have been worse.

So, thinking about this in terms of security…You must know your network. Know your security controls. Know that threats and vulnerabilities are lurking all around you – some of which you cannot see and you can’t possibly protect against. Do what you can to minimize the risks. Most importantly, be prepared to respond in a mature and professional way when the going gets rough because it certainly will sooner or later…