Many years ago, on a trip to Costa Rica, I learned something that fascinated me. In Costa Rica, the trees do not have tree rings. To people who live in colder climates that experience seasons, this may seem a bit strange. Why does this happen? The answer is quite simple. Due to Costa Rica’s warm climate, the growing season never ends. Because the trees grow continuously, they never develop rings.
You may or may not find this as interesting as I do, but for sure you are wondering what this has to do with information security. That is a valid question, so let’s get to it.
Over the course of my career, I’ve built or enhanced a number of different security operations programs. During that time, I’ve noticed that most (though not all) programs tend to follow an evolution that involves four main stages: conception, implementation, operation, and stagnation. Granted, this last stage does not sound particularly flattering, but stay with me and allow me to elaborate.
Let’s examine each of these stages in a bit more detail.
The security operations concept is born in this first stage. An organization becomes aware that it needs a security operations program and sets out on the path to building one. This usually involves recruiting one or more leaders, creating a vision for the program, setting strategic goals, and planning for implementation.
Once plans have been made to build a security operations program, an organization will generally move to the implementation phase. This is the most fun of all of the stages in my experience. The slate is clean, and everything is fresh and new. This stage is all about building. The organization puts in place people, process, and technology to guide, enable, empower, and facilitate the security operations program. The workflow is also established, training is performed, and the program prepares for its operational stage.
During the operational stage, the organization moves to running its day-to-day security operations. Shifts are established, process is followed, incidents are handled, escalations are worked, response is performed, and myriad other activities as well. The organization now has its security eyes on the lookout – and therein lies the rub.
The work of the operational stage should never be steady state. There is always more work to be done. In reality, operations should be iterative. Each time we encounter something, we aim to learn from it. That knowledge, be it a new Indicator of Compromise (IOC), a new control, a new analytical technique, a process improvement, or otherwise, should be fed back into the security operations program. People should feel comfortable continually interrogating the status quo looking for ways to improve it. Efficiencies and improvements should be sought continually. The organization should never become complacent. Unfortunately, in my experience, complacency often happens, leading to the unpleasant stage of stagnation.
Not surprisingly, stagnation is my least favorite stage and one that I wish didn’t exist. In an ideal world, organizations would never get to this point, but we don’t live in an ideal world. In this stage, the organization does not continually improve and enhance its security operations program. The builders from the implementation phase begin to leave, taking with them their institutional knowledge and coveted skill sets. In come the maintainers, generally more inside the box and procedural. Operations continue as normal, but with a catch – operations continue at the level that they were implemented. Because the threat landscape and attacker methodologies are continually evolving, this is inadequate to counter the risks and threats that the organization faces.
This brings us back to the tree rings. Tree rings occur when the growing season ends and growth stops. To avoid stagnation, a security organization must never stop growing. The security program must always improve and mature. Ideally, the organization should iterate between the implementation and operation stages in perpetuity. How can an organization accomplish this? Though not an exhaustive list, here are a few ideas:
• See the forest for the trees: Sometimes organizations get so bogged down in day-to-day operations that they spend 100% of their time heads-down. Of course, there is much important work to be done. But sometimes, the reasons organizations are so busy is because of inefficiencies that could be improved. If those organizations spend all their time heads-down, they will be unable to see the forest for the trees. Allocate staff adequate time to come up for air, take a step back, and suggest improvements.
• Question everything: Do so respectfully and constructively of course, but do so. If a process, decision, methodology, conclusion, or otherwise doesn’t make sense, question it. How many times have I asked someone the question: “Why do you do that?” only to hear “I don’t know – that’s the way it has always been done” as the answer. Why do something that doesn’t make sense just because it’s always been done?
• Avoid being a hermit organization: To avoid stagnation, security organizations need to stay engaged with peer organizations and the broader information security community. Seeing what others are doing can provide us ideas, insight, and inspiration. Engaging with others can keep us on our toes. All great things if we are looking to avoid stagnation.
• Introduce automation: Study processes and identify inefficiencies. Introduce automation to increase the efficiency of manual processes that are time consuming. This frees up human analyst cycles that can then be used to come up for air and see the forest for the trees as discussed above.
Stagnation does no one any good. Top talent exits. The security program weakens. The organization’s security posture declines. In the security realm, the odds are already working against organizations as it is. The last thing we need is stagnation. Don’t let the tree develop rings – make sure the security organization’s growing season never ends.