Aesop’s fable “The Tortoise and the Hare” can teach us a lot about security, especially nowadays. The moral of this particular story is: “slow but steady wins the race”. Or, to look at it another way, consider how dictionary.com defines “slow but steady wins the race”: “Consistent, effective effort leads to success.”
I very much agree with this. Further, I think that internalizing this message can help both enterprise security teams and security vendors mature and behave in a more grounded, strategic, and effective manner. What do I mean by this? Allow me to elaborate.
In security, it seems that we are constantly confronted by the next shiny object, item du jour, and/or overhyped topic. Along with this seems to come an endless supply of “experts” ready to instill fear in us around the “revolutionized threat landscape” and the “new reality” we apparently now find ourselves in and must come to terms with. Indeed, there is certainly no shortage of distractions in our field.
Some of us are likely aware of and conscious of the near-constant tendency for distraction in our field. So how can we avoid falling into the trap of succumbing to the temptation and running after every distraction that comes along? Or, to pose it another way, how can we appropriately invest our time and resources in areas where we are likely to see value and return on that investment?
As a first step, I would recommend asking a few questions:
- So what?: What does this new thing I’ve been asked to care about mean for me practically speaking? What are the real consequences of it in terms of negatively affecting the security posture of my organization?
- Will this introduce risk into my organization?: If this new thing will almost certainly introduce additional risk into my organization, then that is probably a clue that it deserves some mindshare. The key here is to measure that risk and its implications objectively, rather than allowing the hype to drive the risk assessment. Once the risk assessment is done, the team should use that data to strategize regarding what should be done.
- Will this be something that gets incorporated into my overall workflow?: If this new thing is a real thing that will introduce risk, then it is likely that it will eventually be incorporated into security business-as-usual. We’ll need to plan to incorporate mitigating risk, ensuring compliance, and day-to-day security tasks related to this new thing. It will eventually become part of our overall security strategy and planning as so many other legitimate new things have over the years.
With the answers to these questions in hand, it’s time to return to the fundamentals of security. Namely risk, strategy, goals, workflow, process, compliance, and operations.
- Risk: There is a lot going on in the world, but until something begins to influence risk to the enterprise, it is hard to devote any significant cycles to it. If, however, the impact on risk from something can be objectively quantified, then it quickly becomes time to either accept that risk or plan to mitigate it.
- Strategy: All successful security teams are governed by a solid security strategy. While the strategy can be adjusted from time to time as risks and threats evolve, it shouldn’t drift wildly and certainly not in an instant. If the newest thing demands radically altering the security strategy, it’s an indicator that it may be overblown. The good news is that a well-formed security strategy can be adapted to deal with just about anything new that arises in a steady and systematic way, provided that new thing is real.
- Goals: Executing on a solid security strategy involves setting and achieving attainable goals. A clue that the latest thing may be overhyped is if it requires an immediate resetting and reshaping of a large number of goals. A real thing won’t require that the world be turned upside down. Rather, it may require adjusting goals in a very sensible manner.
- Workflow: The security workflow is something that security teams refine over time to increase productivity, remove bottlenecks, and better defend the enterprise. The workflow may need to be modified from time to time as new environments come on line, new logging sources present themselves, regulatory requirements change, strategic priorities evolve, and other reasons. But the workflow should not be upended entirely in an instant. If it is, it could be a sign that hype is taking precedence over substance.
- Process and Procedure: Process and procedure not only guide the actions of the security team, they also help to document and prioritize the items that are the most important strategically for the enterprise. If, all of a sudden, a security team finds itself deviating wildly from processes and procedures, it could mean that the latest fad is a tad oversold.
- Compliance: Compliance may not be sexy, but it is important, for obvious reasons. When the latest thing is real, it will most likely have some compliance implications. These will need to be addressed, of course. But, if there is a lot of buzz around a topic that seems to far exceed any real compliance implications, that is a pretty good indication that the buzz is overdone.
- Operations: Security operations is the day-to-day pulse beating at the center of the security program. I’ve never met a security team that is overstaffed in security operations, and thus, it is important to ensure that the team members are focused on important, value-added activities that are a good use of their time. If the hottest new thing diverts precious resources from these important activities to other activities that provide very little value and don’t improve the organization’s security posture, that can be a very dangerous thing for the enterprise. This is a very dangerous consequence of hype for an enterprise.
There are likely many ways to evaluate how relevant different items are as they arise. By taking a step back, asking a few questions, and staying focused on core security principles, security teams can avoid running after something that turns out to be overhyped. I’ll leave it to the reader to consider which headline-grabbing topics are worth devoting significant cycles to versus which ones can safely be monitored from afar or ignored entirely.
