For many reasons you’ve heard and read about, security is a very difficult space. Prioritizing is an unenviable job many security professionals must do every day – do you go live with a product on time, or do you hold it to fix that security bug which could cause a catastrophic failure? The answer is nuanced, as we all know well, and while I think we all would love it if we never had to answer that question, it’s a reality. Sure, security should have been built into the thing well before release was even within sight – but you know, time, money, priorities …
If the yearly trip out to San Francisco for RSA Conference reinforces anything for me it’s that we are an industry of priorities. What I mean by that it simple – when you walk around the RSA show floor and marvel at the metric ton of cool new stuff that solves problems you never even knew you had you start to realize you really need all of it. I don’t literally mean all of the stuff being showcased but rather something from nearly every category. Literally. Cloud governance tools, yup. Software security testing kit, yup. Authentication broker tools, absolutely. Security analytics, most definitely. The list goes on and on.
Within each splinter of a category there are even more choices and priorities to be hashed out. I spent a lot of time with endpoint tools this year in the speed dating ritual which involves meeting all the vendors, hearing the pitch and providing feedback. At about noon on Wednesday after a few of these meetings I started to wonder how customer choose. If you’re serious about defending your desktops holistically you are faced with an impossible decision.
When I think about security on the endpoint I put these tools into their functional categories. Prevention, detection, response and recovery are the four functional categories that most easily define the space, most any space. Prevention is self-evident, as is detection. Response focuses on what happens after you’ve detected something malicious and recovery focuses on restoration of steady state. Given that there are nearly no tools that do recovery well, that category falls to the wayside (for now). As it turns out, nearly none of the tools out there perform effectively across the three remaining categories! Most are concentrated either on prevention, or detection and response. This is very distressing.
If I put myself in the shoes of the enterprise buyer who is faced with staffing and talent challenges (I won’t call it a shortage, for now) my head starts to spin. Of course I want to buy tools that automate as much of the defensive cycle as possible, intelligently, while extending my few precious human resources. Do I spend my budgetary dollars on prevention – knowing that is not 100% (or even close) and I’ll need to buy additional tools for detection, response and recovery? Do I forego prevention and just focus on detection and response, scaling and maximizing my security team’s capabilities? Who does recovery? After talking with many security leaders it’s clear that “just reimage the machine” isn’t a good answer anymore.
This is an impossible choice.
While I love the innovation that happens when a product space micro-segments like this, I long for the days of consolidation when many of these stand-alone products become features in a larger suite of tools. I’ve lost track of how many times during RSA Conference I’m getting a new product pitched to me and all I can think is “Wow that’s a necessary feature in a bigger suite, not a stand-along product!” But this is the way innovation happens. And when we see consolidation we cheer and secretly hope that consolidation doesn’t mean the end of specialization and innovation.
So we continue to be an industry of priorities.
As a buyer this means that you must first and foremost understand your own capabilities. As an organization you must be able to know your strengths, weaknesses and where your ability to grow and learn is. As part of client strategy engagements I’m repeatedly asked where I think companies should make their next security investment. It’s a fair question but one I don’t always feel qualified to answer. The reason being I don’t know every company, their environments, their security talents and existing resources. That takes time to vet and properly understand. But I think this is one of the most critical questions when building out a strategy.
There is a Mike Tyson quote that goes something like “Everyone has a plan until they get punched in the face” and at first blush that sounds like a strategy is worthless in the face of an incident. I think it’s quite the opposite. Once we understand our priorities, have the right people and tools that suit our strategy, there is a framework for how we will react when we get punched in the face. Sure, incidents are the equivalent of a sucker-punch you never expect, but your strategy should account for things you can’t plan for.
So bringing this back to priorities and tools – you need to know what your capabilities are. You then have to pick your priorities based on those capabilities. What features can you not live without. Rank them, agree on them, then go shopping. If you don’t, you’ll end up with tools that don’t properly enable your team’s strengths, and fill in the gaps in capabilities.
