Spring cleaning for your security toolbox

Spring cleaning for your security toolbox

You have too much stuff. Those old clothes you can’t bear to part with. How many t-shirts from tech conferences do you really need? The stacks of magazines you are going to read “someday.” Toys for the kids, half-way completed projects, and dozens of other things make your life unorganized, and more difficult to manage.

The exact same problem infests many of our security programs. Every time we add a new technology, be it installed in production, or as a proof of concept, we make our operating environment more complex. Say it with me now… Complexity is the enemy of security.

Having too many systems causes multiple problems:

  • How many systems can you be a master of? You can be world-class at 1 thing, great at a few things, or mediocre at many things. That’s the trade-off. You can’t know about that newest neat feature that will save the company millions on every tool out there.
  • When our resources are spread between too many systems, we only look at systems when lights go red. This means we’re missing the small clues that things might be changing. Simply put, we are not receiving full value from our tools.
  • More systems cost more money. So at the same time that we are decreasing the value we get from each system, we are increasing the total amount of money spent on systems.

While the risk of juggling too many systems is clear, there is obviously a risk of going the other way as well. We can’t simply start hacking technologies out of the environment until we get to a manageable number. To be successful, we need to have designed a risk-based defense in depth (DiD) strategy. All too often, our DiD strategies are not based on which processes and technologies complement one another to create a great control environment. Instead, we create our DiD structure based on what technology is popular, cheap or easy to get in the door.

Your systems should be determined by your DiD strategy; not your DiD strategy by your systems

Each type of control in our DiD environment should operate at a separate level of the defense perimeter (deter, prevent, detect, respond), should have an independent failure mode (basically, one of them failing shouldn’t cause another to fail), and should provide adequate security throughout the environment.

Then comes the good part. Spring cleaning for your security program. Start evaluating all the systems, and processes that you support. Which of them align well with your DiD strategy? Give each system and process a priority rating. The ones with the highest rating get the training, money and man-power assigned to master, maintain and run them. The ones with lower ratings get a project plan set up for decommissioning them in the environment.

As in most things in life, true excellence is in quality, not quantity. Figure out what few things you can do to make your security program excellent, and work on those things with laser-like focus.

Connect with

Advertisements

2 thoughts on “Spring cleaning for your security toolbox

  1. Robb,
    Stumbled on to your article and breathed a sigh of relief – finally I had found someone else who sees the speeding train light in the tunnel. The proliferation of security tools and security information on the net is mind boggling, and the number of organizations (including government agencies) that have purchased dozens of tools with overlapping capabilities is staggering. We (the cyber security industry) are becoming our own worst enemies – I agree with you completely that quality should be the preference, not quantity.Anyway, thanks !
    Larry

  2. Larry,

    Thanks for dropping by to comment. I’m glad to hear that there are others seeing this rising issue. Our problem is years of tools-focused thinking. Instead of thinking about what “tools” we handle, we must focus on what business needs we meet.

    Thanks for dropping by to read. You may be interested in today’s post as well, on a similar topic: http://www.robbreck.net/blog/enterprise_information_security/resource-scarcity-in-information-security/

    -Robb

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s