Security Experts:

How Tall is the Water Fountain?

Recently, I was thinking about the time during high school when I took a trip to visit my elementary school. I’m not sure why this memory suddenly popped into my head, but it did remind me of an important topic in security that I’ve been meaning to write about.

What could a distant memory of a visit to my elementary school possibly teach us about security?  That is certainly a fair question, so let’s get to answering it.

You see, one of the things I noticed during that visit to my elementary school was how low the water fountains were.  Perhaps this is an odd thing to notice, but it did cause me to recall that the water fountains did not seem low at all when I was a student at the elementary school.  Of course, as you are well aware, it’s all a matter of perspective.

When I was in elementary school, I was a lot smaller than I was when I was in high school. Thus, relative to my elementary school size, the water fountains had been perfectly positioned by those who built the school.

In addition to the idea of perspective that the water fountain illustrates, I also want to examine the concept of peer groups.  Obviously, the perspective of those in my peer group, who were of the same age as me during that time, regarding the height of the water fountain was relatively similar to mine.  But what if I had brought in an older student, a mentor, a parent, or a teacher to understand their particular perspective?Surely they would have told me that the height of the water fountain was lower than what they typically encounter.

Before we go any further with the analogy, let’s understand how it relates back to the security world in which we live and why it reminds of us something of which we need to be more conscious.

As security professionals, we are each tasked with mitigating risk and continually improving the security posture of the organizations we defend.  Many people reading this piece are likely talented security professionals working as members of talented security teams.  No matter how talented an individual is however, he or she brings his or her own individual perspective to work every day.  It is part of the human condition that, no matter how brilliant, accurate, and/or broad someone’s perspective may be, it is by definition limited.

Similarly, each team is comprised of it individual team members who bring their individual perspectives.  Of course, the sum of those individual perspectives can be greater than its parts.  And yes, large security teams can have a relatively broad and diverse range of different perspectives.  But, no matter how large or experienced a given team is, its perspective is still going to be, by definition, limited.  It goes without saying that for smaller security teams, the challenge that a limited perspective presents can be quite difficult to overcome.  That is the case whether or not the organization is aware of it.  Simply put, if a security team has a small number of team members that are concentrated in one or a small number of geographical regions and come from similar backgrounds and experience, the chances that there will be a broad and diverse collection of perspectives are low.  That’s not a knock on the security team by any means.  Rather, it’s just a numbers game.

This is an important point for any organization to consider and remember.  Why?  This is where we come back to the height of the water fountain.  What if the perspective of most or all of the people on my team is that the water fountain is at a good height, or within the expected range of heights?  Or to put it in security terms:  Will a security team that works closely and intimately together and sees the same security program day in and day out truly be able to evaluate the maturity of that same security program objectively?  Or, instead, will they always see the security program like elementary school children see the water fountain -- just right or on the path to being just right?

But how can a security team broaden its horizons to gain a more complete, objective, and accurate perspective of how mature it truly is?  Well, for starters, it’s helpful to know how I compare to my peers.  Which organizations would be my peers?  There are many potential ways to categorize and classify peer organizations, though perhaps looking at organizations of a similar size, geography, industry vertical, and/or security budget would be a good way to start.

And what about understanding how I compare to others of different sizes, in different (or multiple) geographies, across different industry verticals, and with security budgets of differing sizes?  That’s also important, of course.  Perhaps I won’t hold myself to the same standard as an organization 10 times my size and with 10 times my security budget, but it might help me understand how I can improve and where I might focus my strategic plan and security spending.

Currently, it is not be very easy for organizations to understand how they compare to their peer organizations and organizations outside of their peer group. As you might have guessed, that challenge is something that interests me a lot these days. If this topic interests you as well, I’d love to hear from you to discuss further!

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.