You have too much stuff. Those old clothes you can’t bear to part with. How many t-shirts from tech conferences do you really need?
The stacks of magazines you are going to read “someday.” Toys for the kids, half-way completed projects, and dozens of other things make your life unorganized, and more difficult to manage.
The exact same problem infests many of our security programs. Every time we add a new technology, be it installed in production, or as a proof of concept, we make our operating environment more complex.
Say it with me now… Complexity is the enemy of security. Having too many systems causes multiple problems:
- How many systems can you be a master of? You can be world-class at 1 thing, great at a few things, or mediocre at many things. That’s the trade-off. You can’t know about that newest neat feature that will save the company millions on every tool out there.
- When our resources are spread between too many systems, we only look at systems when lights go red. This means we’re missing the small clues that things might be changing. Simply put, we are not receiving full value from our tools.
- More systems cost more money. So at the same time that we are decreasing the value we get from each system, we are increasing the total amount of money spent on systems.
While the risk of juggling too many systems is clear, there is obviously a risk of going the other way as well. We can’t simply start hacking technologies out of the environment until we get to a manageable number.
To be successful, we need to have designed a risk-based defense in depth (DiD) strategy. All too often, our DiD strategies are not based on which processes and technologies complement one another to create a great control environment.
Instead, we create our DiD structure based on what technology is popular, cheap or easy to get in the door.
Your systems should be determined by your DiD strategy; not your DiD strategy by your systems
Each type of control in our DiD environment should operate at a separate level of the defense perimeter (deter, prevent, detect, respond), should have an independent failure mode (basically, one of them failing shouldn’t cause another to fail), and should provide adequate security throughout the environment.
Then comes the good part. Spring cleaning for your security program. Start evaluating all the systems, and processes that you support. Which of them align well with your DiD strategy?
Give each system and process a priority rating. The ones with the highest rating get the training, money and man-power assigned to master, maintain and run them. The ones with lower ratings get a project plan set up for decommissioning them in the environment.
As in most things in life, true excellence is in quality, not quantity. Figure out what few things you can do to make your security program excellent, and work on those things with laser-like focus.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.