Security Experts:

Swimming Upstream: What the Salmon Run Teaches Us About Security

A Successful Security Organization Knows to be on the Lookout for Predators and to Navigate the Troubled Waters Around Them

There are certain natural phenomena that I find to be simply breathtaking.  One of them is the salmon run.  For those unfamiliar with it, Wikipedia describes the salmon run as “the time when salmon, which have migrated from the ocean, swim to the upper reaches of rivers where they spawn on gravel beds.” 

During this run, salmon swim upstream over great distances. They face predators, such as grizzly bears, bald eagles, and sport fishermen.  And yet, through it all, they remain focused on returning “with uncanny precision to the natal river where they were born.”

I see a security lesson in this remarkable natural phenomenon.  In security, we need to remain focused on mitigating risk, improving security posture, and maturing the security program. Along the way, there are all sorts of obstacles, distractions, and harmful influences. In this piece, I’d like to discuss some of them, along with how an organization can overcome them in order to remain focused on accomplishing its security goals.

Infosec Lessons from the Salmon Run1. Problems: There is a famous saying that goes something like, “Some people have a solution for every problem, while some people have a problem for every solution.”  If the salmon listened to everyone who told them they were doing it all wrong, they would never get anywhere.  There is a great deal of wisdom in this saying, and it is something that I have encountered repeatedly in security.  It is true that we should strive to find solutions that meet most of our requirements, fit our budget, and are reasonable to operate and maintain.  Solutions that do not address these points are, of course, not solutions at all.  But there is a fine line between ensuring that a solution is the right one and grinding progress to a halt.  It is all too easy to get caught up in finding fault with a potential security solution.  If an organization can’t keep its eyes focused on the goals that the desired solution is supposed to help attain, it can very quickly begin dismissing perfectly valid solutions.  No solution is perfect, but if it solves a problem that the security team cares about, it deserves a chance.

2. Predators: As the salmon swim upstream, predators, such as grizzly bears, bald eagles, and sport fishermen stand ready to pluck them off.  In life, there are those people who elevate themselves by improving their skill set and performance. Unfortunately, there are also those people who elevate themselves by putting down others. These predators are extremely dangerous to the health and success of a security program. They stand by ready to create noise, ridicule, criticize, and derail necessary progress. A successful security organization knows to be on the lookout for predators and to navigate the troubled waters around them. Steering your security organization into the path of predators can cause setbacks that can significantly weaken the security posture of the organization. Security is already a hard enough job without the “help” of those who seek to make it an even harder job.

3. Distractions:  Maturing a security program and improving an organization’s security posture require a focus on the desired goals and a determination to meet them.  Distractions lurk at every turn, ready to pull a security program off-course. How can a security organization stay on course?  It’s important to go back to basics.  Start with the risks that cause the greatest threats to the business.  Identify gaps that exist in the security program that prevent the mitigation of those risks.  Plot a way forward towards filling those gaps and mitigating the highest priority risks.  Stay the course.  Anything else that pops up is simply a distraction.

4. Indecision: Another favorite saying of mine states that “a camel is a horse designed by committee.”  This statement rings true in a large enterprise.  It can be difficult to understand how to move an effort forward.  Many people along the way want to offer their input, advice, and direction as to how to complete the project.  Unfortunately, while often well-meaning, these people sometimes offer contradictory or unhelpful suggestions.  The first thing that any successful project needs is a leader empowered to take command, make decisions, and see the effort through to success. That person will need to gain buy-in and support along the way, but they will also be responsible for keeping the project moving forward so that it doesn’t stall. A lack of empowerment or a poor choice of leader can doom a project to failure, causing it to simply die on the vine.

5. Paralysis: Organizational paralysis is an unfortunate state that I’ve seen many times. Obviously, organizations don’t want to make important decisions that have long term impacts on a whim, based on intuition, or in a vacuum.  But, the other extreme is no good either. Organizational paralysis occurs when an organization over-analyzes matters so much so that no decisions nor progress can ever be made. This prevents important efforts from moving forward and weakens the security posture of the organization. When a security project is undertaken, it needs to move forward continually.  Take an educated guess as to how the project plan should look and start down that path. Collect input and measure progress along the way, and when necessary, course correct. But don’t get stuck in the mode of over-analyzing every aspect. That will lead nowhere helpful.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.