Over recent months - I have been spending most of my time looking and thinking about security issues in customers' supply chains. And I found an unconventional yet fitting comparison.
Soft Play Centres
If you have young children, you will know the - pleasure - of "soft play". If not, you will have noticed soft play centres rapidly colonising towns and venues nationwide.
But why are they so popular?
Oddly, it's down to the rope nets used as walls...
From a child's view - they get to run free - without their parents. The soft play is their private territory. A place to explore. Play. And have a wonderful time.
Parents have a different territory - outside the soft play. They can sit, chat, and have a drink. The boundary between these territories is a net wall.
The net wall is a barrier that prevents parents from interrupting play too often. But crucially, parents can see through the barrier to casually observe "nothing bad is happening".
Both parent and child have a great experience.
The ideas of children having their own private territory and parents being able to casually observe behaviour are the crucial components of a crime prevention theory called Defensible Space.
Defensible space is a theory in architecture - published in 1972 - that suggests design plays a crucial role in reducing crime prevention and neighbourhood safety.
The theory argues that areas become safer when people have ownership and responsibility of their space - or territory. Moreover - if an intruder senses a watchful community, they feel less secure in committing crimes.
While some aspects of the defensible space theory are criticised, private-public territory and casual observation ideas have been readily adopted.
...including at top-secret government bases.
Top Secret Government Base
Using the old security analogy, you may expect top-secret bases to be built like castles. Thick, impenetrable walls hide what's inside.
But if you drive into Cheltenham, UK, from the motorway - you can't miss the giant circular GCHQ building on your left. Rather than a high-walled citadel, it looks like a corporate headquarters.
There's barely a solid wall in sight. And there certainly isn't a solid fence around the perimeter. The same ideas of defensible space found in a soft play centre are at work.
The staff at GCHQ take their responsibility of guarding the UK's national secrets seriously - in their private territory. And like a parent or guardian casually observing what is happening in a soft play centre, GCHQ staff can look beyond their private territory. Beyond the fence - into the public roads... to spot concerning behaviour.
So what does this have to do with supply chains?
We are used to considering our schools and businesses as our private territory - an idea that cybersecurity programs reinforce.
As businesses secure their technology, staff, and operations - their robust and resilient internal security processes create a clear boundary that stops at the edge of their control. We build castles.
To run a business, we inevitably create a web of suppliers - who provide us with the goods and services we need. As expected, cybersecurity guidance on securing your supply chain exists.
But the guidance primarily focuses on the idea that your suppliers should have castles equal to or more impenetrable than your own. A medieval landscape of castles with opaque walls of Cyber Essentials, SOC2 and ISO-27001 compliance has been created.
But there's the issue. Suppliers' security is opaque, and there's no opportunity for casually observing the threats they pose to your business.
Moreover, scammers have noticed and changed their tactics. They have moved to the paths that connect our castles. Scammers have become bandits or highwaymen - operating outside our castle walls.
I've seen a significant spike in incident response investigations relating to impersonating CEOs and duplicating invoices. Even masquerading as debt collectors for fictitious clients or interjecting in sales channels.
While our annual security awareness training helps our teams understand "CEO Fraud" and social engineering techniques, there's no need to remain behind our opaque castle walls...
Like a parent or guardian casually observing what is happening in a soft play centre, it's possible to casually observe the threat landscape around your suppliers' castles.
We should be casually observing deceptive domains masquerading as your supplier... Their highly visible people - the ones most likely to be spoofed in correspondence... And the paths into your business.