If you read my pieces regularly, you might have guessed that approaching security operations and incident response in a strategic, holistic, and analytical way is something I’m passionate about. Perhaps not surprisingly, it’s a topic I often discuss during presentations, discussions, and meetings. Sometimes, I receive feedback or hear statements such as:
● “I think an 80% solution will be just fine here”
● “I don’t have the time or resources to strategically assess and improve my security program”
● “I will choose the lowest cost option”
Many of you know that I come from a security operations and incident response background. Because of that, I understand that we don’t live in an ideal world, that all operations, and particularly security operations is hard, and that improving is almost never easy. That being said, I still believe that taking a strategic, holistic, and analytical approach is something that can help organizations improve tremendously, even within an operational environment. From what I’ve seen, there is still plenty that can be done in almost every organization.
The 80% Solution
Is an 80% solution acceptable? Before we discuss that question, consider the following examples that help illustrate what 80% really means:
● Four hours and 48 minutes of unsafe drinking water each day
● Four hours and 48 minutes without electricity each day
● One out of every five cars on the road without brakes
● One out of every five planes missing routine safety inspection
● One out of every five illustrative examples not being particularly good
I could go on listing examples here for hours, but I believe you understand the point. Perhaps you even appreciated my humor in the last bullet point.
The point of these examples is to illustrate that, although it may be difficult, when it comes to risk mitigation, we should be aiming for the right solution. There will always be limitations and resource constraints. But if we start out by aiming for an 80% solution, we will probably wind up with far less than that.
Let’s use business negotiations as an example. If you are in the market and want to buy something labeled with a price of $5 for $3, you don’t begin by offering $3. Perhaps you begin by offering $1 and then enter into an animated dialogue with the vendor.
Security is no different. If we have a risk that we need to mitigate, we should begin by breaking it down into goals and priorities as I’ve discussed in previous pieces. We should aim to find the right people, process, and technology to cover all of the goals and priorities and properly mitigate the risk. Of course there will be compromises, challenges, and frustrations along the way. But that doesn’t mean we should aim for “good enough” from the beginning. We should always aim for what’s needed. You might be surprised at how many times that can actually be achieved when approached correctly.
No Time For Strategy
I’ve written previously about the “Too Busy For Round Wheels” phenomena. Yes, I understand from my operational career that it can be extremely difficult to find the time to come up for air and take a long, hard, and honest look at where the security program is vs. where it should be. But, I’ve also found that sometimes organizations spend an awful lot of time on activities that are not always value-added. It’s a vicious cycle -- organizations cannot figure out why they are so busy because they are too busy to examine why they are so busy.
Although it can be difficult, there is a definite need to come up for air. In the near-term, yes, it will pull some resources away from day-to-day work. But in the long-term, if done correctly, taking a strategic, holistic, and analytical approach to security will make far better use of those same resources and will allow organizations to improve their security postures far more quickly and efficiently than they would be able to do otherwise.
Think Total Cost
When people say “I am going with the lowest cost option”, what I often hear is “I am going with the lowest upfront cost option”. When organizations think about the cost of a solution, they should be thinking about the total cost. As you might expect this is more complex than merely the upfront cost plus yearly maintenance costs.
As I and many others have written about or discussed previously, technology by itself is not a solution. Solutions require the right mix of people, process, and technology. No one of those three elements can by itself produce a solution to a given problem. Further, total cost can be a bit tricky to calculate and sometimes a bit deceptive. What do I mean by that? Let’s take a look.
The total cost of a given solution will include some obvious and very tangible costs, such as:
● Real estate (rack space)
● Human resources to operate and maintain the solution
● Human resources to use the solution
● The cost of the technology piece to the solution
● Human resources to develop and follow the process piece of the solution
This is not an exhaustive list, but it is enough to give the reader an idea of what a tangible cost is. But what about the less tangible or intangible costs? What do I mean by that? Here are a few examples:
● Additional people, process, and technology required by the introduction of additional complexity into the environment
● Additional human resources required to sift through noise produced by a poorly performing or ill fitting solution
● Additional operations and maintenance cost associated with a solution that requires more attention than was expected or budgeted
● Missed incidents, such as long dwelling intrusions, and the financial costs that follow as a result, caused by inadequate detection capabilities or too low of a signal-to-noise ratio
● Additional solutions required to meet other operational needs that are not being met by a non-optimal solution
As you can see, looking at upfront cost alone can be quite deceptive. Calculating total cost of ownership (TCO) can be complex, but it is an exercise that brings tremendous benefits to the organizations that calculate it correctly. Only through a true understanding of TCO can the solution that is right for the organization be chosen.
Obviously every organization will have its limitations and resource constraints. But that doesn’t mean the organization should aim solely for good enough. Instead, an organization should always aim for what fits its strategic goals and priorities and what will improve its security posture most efficiently and effectively. Do I think that this is easy to do? Absolutely not. But that doesn’t mean we shouldn’t try. The real cost of “good enough” is simply too high to be worth the risk.