Security Experts:

In Information Security, the Only Constant is Change

As the Greek philosopher Heraclitus famously noted, “the only constant is change”. This statement was as accurate 2,500 years ago as it is now. The world around us changes constantly, often times at a somewhat frenetic pace. The field of information security is no different. Both the organizations we support and the threat landscape we face are changing and evolving constantly.

One unfortunate side effect of continual change can be what I colloquially call “shiny object syndrome” (SOS). As you might imagine, there are some organizations, and indeed some people, that seem to run continually from one “shiny object” to another, unfortunately. In other words, rather than approach security strategically, adjusting the plan in a calculated manner to account for changes to the risks and threats the organization faces, many organizations repeatedly chase after the fad of the day.

Rather than discuss why this occurs, I’d like to focus on what organizations can do to avoid falling victim to shiny object syndrome. Hype, buzz, and trends change constantly, but the fundamentals of a good security program stay the same.

Signs: Change is Contstant

While this is certainly not an exhaustive list, here are my top five ways that organizations can stay grounded and focused amidst a sea of distractions:

1. Stick to the plan: As I and many others have previously noted, if you don’t already have an incident response plan, you should. If you do already have a plan, then you are already one step ahead of the game. The trick is to stick to the plan, even when the temperature gets a little hot in the kitchen. If you’ve done your homework properly, or worked with qualified professionals who have helped you do it properly, you will pull through. Just as long as you don’t succumb to the near constant temptation of distraction and the knee-jerk reactions it causes.

2. Focus on risk: The best security organizations use a variety of techniques to understand the unique threat landscape they face. Those same organizations use this knowledge to help them prioritize the risks and threats that they wish to mitigate. In addition to helping these organizations prioritize spending and mitigate risk more effectively, this approach helps them stay focused and avoid running astray in pursuit of shiny objects. When the temptation to run in a particular direction arises, the organization can evaluate this new direction against its prioritized list of risks and threats. This helps the organization understand how this potential new direction impacts the organization, specifically regarding any additional risk that it may or may not introduce. In this sense, it is fairly easy to identify distractions by understanding their lack of relevance to the risk mitigation goals of the organization.

3. Prioritize holes to plug: In the security world, new techniques for intruding into organizations appear fairly frequently. Some of them grab big headlines, which of course can increase attention and pressure on security types from non-security types in leadership or executive positions within our respective organizations. But how firm of a grasp do we have on the primary ways in which we are being attacked and owned, as well as broader patterns and trends across the industry? It is far too easy to divert important resources away from their strategically prioritized day-to-day work and onto the hack du jour. But if today’s distraction poses a minor risk to our organization, does it make sense to divert resources from mitigating risks or plugging holes that we know pose serious risk to the organization? Not particularly, although without a quantitative handle on risk that includes a robust risk register, it can be hard to justify that stance in the heat of the moment.

4. Go beyond the buzz: A few years ago, I remember walking around the RSA Conference vendor expo hall and seeing signs that read “big data”, “security analytics”, or “big data security analytics” everywhere. Everyone was talking about the topic, and many still are, for good reason. But let’s go beyond the buzz and take a look at one of my favorite questions: So what? What will you use security analytics for? Do you have a list of risks to mitigate that will require a variety of different people, process, and technology to mitigate, including security analytics? For example, identifying stolen credentials and attackers masquerading as legitimate users? Having insight beyond the buzz allows an organization to more efficiently and effectively apply people, process, and technology to solve real world problems and challenges. Otherwise, solutions that are purchased and implemented wind up looking for a problem to solve. Not a great place to be, particularly when looking to justify expenditures and show return on investment.

5. Measure what matters: Did your security organization open and close 500 tickets last week and handle 10,000 IDS alerts? Pardon my candor, but who cares? How do those metrics help you assess how you are or are not progressing against the prioritized list of risks and threat you’re looking to mitigate? Measuring what matters allows an organization to produce metrics that actually help it assess its progress against its strategic objectives. Unfortunately, I am not able to expand on this concept in this piece, but I have written about if previously. Metrics that matter have the added benefit of allowing an organization to assess and measure whether activities (whether new or old) are adding value to the security program. You guessed it -- that helps a security organization stay focused on adding value, rather than chasing after shiny objects.

There is no shortage of distractions in the information security realm. As security professionals, we need to stay focused on managing, mitigating, and minimizing risk to our respective organizations, even as both the business and the threat landscape change around us. If we stay grounded, adapt strategically, and adjust incrementally, we stand a far better chance of successfully accomplishing our goals. Running off course on all sorts of impulsive tangents never made anyone more secure.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.