Lessons Learned: What the Vasa and IT Security Have in Common

History has a way of repeating, and the lessons learned from the sinking of the Vasa hold as true today as they did on Aug. 10, 1628.

For those not familiar with the Vasa, she was arguably the most powerful warship to sail the Baltic, if not the world. Armed with a panoply of 64 guns, including 48 24-pounders (the latest in heavy cannon design), the Vasa’s broadside firepower was a supreme naval achievement, twice the might of the largest ships sailing in Northern Europe at that time. Built for speed and firepower, the Vasa was destined to be a formidable weapon, having no comparison.

So, what does the Vasa and IT security have in common? But for the cannons and destructive power, nearly everything. To understand the relationship, one must examine the history of the Vasa and why she was doomed to fail.

Under the leadership of King Gustav II Adolf, Sweden became a military juggernaut during the Thirty Years War (1618 – 1648). Facing multiple war fronts and an external battle for his throne, the King needed an advanced naval fortress that could defend against any assault presented. Hence, he needed the Vasa.

But the Vasa had a different fate. When the maiden voyage of the Vasa commenced, a small gust of wind caught the ship, pushing it to one side and allowing water to enter through opened gun ports on its lower deck. Within minutes of setting sail and still within the reaches of the Stockholm harbor, the mightiest of warships had inexplicitly sunk. How could this be?

History shows that this disaster could have been averted. There were numerous warning signs that illustrated the risk at hand. The hull was not sufficiently deep and significantly underweight in ballast. Above the waterline, the superstructure was too tall and heavy. Even a pre-launch demonstration showed that the ship was highly unstable and prone to capsize, yet nothing was done to stop the pending disaster.

Compounding matters were the myriad changes to the ship’s design (many of which were done for purely aesthetic reasons), and a construction pace that left little room for error. In the end the King, who was located in a far-off country, had ultimate approval authority, and by exercising it, he eliminated outside debate and any possibility for constructive criticism, leaving nothing to be altered, corrected or fixed.

By comparison, today’s enterprise networks face relentless attacks from a myriad of sources, driving the need to deploy cutting edge cyber security solutions. Often, these solutions are deployed because of their hype or promise, yet in the end they lack functionality and capability, and ultimately do not meet the actual needs of the organization.

Which brings up the point about working in IT security. Plans are set in place for specific reasons, but over time business and technology needs change, and the art of understanding the WHY something is being done, or was done in the past, often gets pushed out of the discussion.

In this age of advanced interconnectivity between the cyber world and the physical world, cyber attacks have repercussions that extend to physical safety. It is not enough to simply be accountable anymore. Organizations need to move beyond simple accountability and approval checkboxes and aim for a higher purpose – safety – as a priority.

When decisions are made, staff is often reluctant to question or push back. Warning signs are ignored, and for reasons no one can quite explain, when responses are provided, they often fall flat with: “That’s the way we’ve always done it”.

It should not be so.

To avoid this trap, IT security groups should:

• Regularly evaluate plans and challenge the status quo, asking “why” and reviewing best practices and policies to ensure they still meet the current needs, goals and ambitions of the organization.
• Communicate with cross-team members to ensure everyone understands “why” things are done rather than only the “how” things get done.
• Finally, help management understand the consequences of IT and IT security decisions. Ideas should be assessed on their own merits, rather than what they look like on paper or from afar.

Working in IT and cyber security has never been easy or with more consequence. When an environment resembles the Vasa, disaster is bound to result. It is not enough to understand the principles behind how a Vasa environment comes to be. Organizations need to create and foster an environment that openly supports the understanding of the “why” behind approaches and decisions, and must ensure these still meet their original intent. This needs to be core to today’s IT and IT security process.

Bottom Line: As said many times: “Those who do not learn from history are doomed to repeat it.” The Vasa gives us that lesson that we can learn from today.