Being Comfortably Numb isn’t good enough when it comes to integrating technical security controls
Hello…. Is there anybody out there?
This is the famous first line of Pink Floyd’s song “Comfortably Numb”. Roger Waters who wrote the lyrics, claims that the genesis of the song has to do with delirious thoughts he experienced as a child while suffering from fevers. Others have speculated that the song is actually about drugs. Personally I’m not going to take an opinion on the matter, as I have enjoyed plenty of evenings at the planetarium during my college years listening to his music while watching laser light shows.
So what does this have to do with integrating technical security controls into your environment?
Having delirious thoughts is characterized by restlessness, illusions, and incoherent thoughts. Yes a bit extreme, but arguably similar to the feelings you may experience when tasked with researching which technical security control is the right fit for your project and organizational goals. And how could it not be? With all the product innovation and related marketing hype, along with the antiquated services and information provided by industry participants like VARs and analysts; the burden is squarely on you to figure this out. This might be well and good except if you’re like every other security professional, then you’re already overloaded with your regular tasks and lack the resources on your team to offload this work.
So, how did we end up in this situation in the first place? To answer that we need to look back about ten years to the time when IT security was mostly an insurance program reluctantly adopted by the Information Technology organization. There were very few solutions available (compared to today) and the threat landscape was immature and not professionally organized. As a reference, the first data breach of credit cards happened between 2005 and 2007. In this much simpler world, industry participants like Value Added Resellers (VARs), Security Integrators (SIs), and analysts (like Gartner) provided companies with information and services to help them decide on the best solutions to deploy. With a limited number of solutions provided by mostly larger security manufactures, the system worked well and filled a gap in the market.
Now, let’s fast forward to today. We’ve seen over the past ten years, a massive amount of new cyber-attacks from highly sophisticated threat actors targeting a much broader set of organizations. This has resulted in a radical change in the market. Now, most organizations have a dedicated security team as breaches have escalated both in intensity and cost. Innovation by new IT security vendors and service providers is skyrocketing to meet new demands. The government has made Cyber a fifth warfare domain, and we see endless references to cyber security in popular TV shows and movies. Sounds like job security and an opportunity to be the “cool person” at the party…. Well, not so fast.
The gotcha is that the need for IT security has grown so fast that the industry cannot keep up with the demand. Meaning, security professionals are working way too hard since resources are scarce – so forget having time to go to those parties. This growth has also spurred a ton of innovation from every corner of the industry to help security professionals be more effective at their jobs and address modern threats. However, one area that is in stark contrast to all this innovation is services associated with helping companies select the right technical security controls.
Remember the VARs and Analysts that provided useful information ten years ago? Well, their business models haven’t changed one bit. Some of this is their fault for being asleep at the wheel, but customers have some responsibility in this as well. In whole, people on all sides of the market labeled the reselling of products as a low value activity long ago and the moniker has stuck. This has redirected the attention of VARs and SIs towards what they consider higher value services – leaving solution recommendations to a “best efforts” activity.
As far as 3rd party analysts who produce reports about security products, they provide very little value for most companies. After all, the process of security integration needs to account for customer-specific interests, such as: environment compatibility, critical system integrations, compliance requirements, budgets, and even their culture. Reading a paper about the perceptions of an analyst on which technologies are best, is a very narrow and myopic view that has little to do with the intended audience’s actual considerations. Not to mention, there may be other bias that also creeps into the analysis, but we will leave those out of this discussion.
This brings us back to where we started in the blog. When it comes to technology integration the responsibility is on you. With an already maxed-out schedule, this process becomes very cumbersome and at a time when selecting the right solution is more important than ever. Many of the CISOs and CSOs in our community talk about IMPLEMENTATION RISK as being a key issue for them. This is the risk associated with deploying technical security controls to satisfy business needs. As their role moves into the realm of risk management, there is a heightened sense of scrutiny on this, which is driving new behavior. These security leaders are looking for third party validation, data metrics, and peer reviews to help lower this risk. For IT security teams this means; more work, late nights, tons of research material to scrutinize, and delirious thoughts as they sift through marketing messaging and industry hype.
One of the best ways I have found to describe the industry’s deficiency in this technology integration area is to look at it from the IT security lifecycle standpoint.
The areas in yellow are the parts of the IT security lifecycle that deal with building and managing your security program. The area in blue focuses on the operational aspects of running your security program. Both areas have frameworks and standards that can be leveraged to help you assess and mature your program and processes. This provides senior security leaders with common terminology and metrics to facilitate communication across the organization that is understandable and measureable. Now, look at the area associated with integrating technical security controls into your environment (orange). There are no standards, no best practices, just subjective reports and information.
Which brings me back to Roger Waters’ famous line “Hello… is there anybody out there?”
The answer is “YES,” we are here and taking note of this problem. In the next installment of our blog on this topic, we will look at a new business model that is centered around data to help companies make better technical integration decisions.