Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

Avoiding Tree Rings: Why a Security Organization Must Never Stop Growing

Tree Rings

Tree Rings

Many years ago, on a trip to Costa Rica, I learned something that fascinated me. In Costa Rica, the trees do not have tree rings. To people who live in colder climates that experience seasons, this may seem a bit strange. Why does this happen? The answer is quite simple. Due to Costa Rica’s warm climate, the growing season never ends. Because the trees grow continuously, they never develop rings.

You may or may not find this as interesting as I do, but for sure you are wondering what this has to do with information security. That is a valid question, so let’s get to it.

Over the course of my career, I’ve built or enhanced a number of different security operations programs. During that time, I’ve noticed that most (though not all) programs tend to follow an evolution that involves four main stages: conception, implementation, operation, and stagnation. Granted, this last stage does not sound particularly flattering, but stay with me and allow me to elaborate.

Let’s examine each of these stages in a bit more detail.


The security operations concept is born in this first stage. An organization becomes aware that it needs a security operations program and sets out on the path to building one. This usually involves recruiting one or more leaders, creating a vision for the program, setting strategic goals, and planning for implementation.


Advertisement. Scroll to continue reading.

Once plans have been made to build a security operations program, an organization will generally move to the implementation phase. This is the most fun of all of the stages in my experience. The slate is clean, and everything is fresh and new. This stage is all about building. The organization puts in place people, process, and technology to guide, enable, empower, and facilitate the security operations program. The workflow is also established, training is performed, and the program prepares for its operational stage.


During the operational stage, the organization moves to running its day-to-day security operations. Shifts are established, process is followed, incidents are handled, escalations are worked, response is performed, and myriad other activities as well. The organization now has its security eyes on the lookout – and therein lies the rub.

The work of the operational stage should never be steady state. There is always more work to be done. In reality, operations should be iterative. Each time we encounter something, we aim to learn from it. That knowledge, be it a new Indicator of Compromise (IOC), a new control, a new analytical technique, a process improvement, or otherwise, should be fed back into the security operations program. People should feel comfortable continually interrogating the status quo looking for ways to improve it. Efficiencies and improvements should be sought continually. The organization should never become complacent. Unfortunately, in my experience, complacency often happens, leading to the unpleasant stage of stagnation.


Not surprisingly, stagnation is my least favorite stage and one that I wish didn’t exist. In an ideal world, organizations would never get to this point, but we don’t live in an ideal world. In this stage, the organization does not continually improve and enhance its security operations program. The builders from the implementation phase begin to leave, taking with them their institutional knowledge and coveted skill sets. In come the maintainers, generally more inside the box and procedural. Operations continue as normal, but with a catch – operations continue at the level that they were implemented. Because the threat landscape and attacker methodologies are continually evolving, this is inadequate to counter the risks and threats that the organization faces.

This brings us back to the tree rings. Tree rings occur when the growing season ends and growth stops. To avoid stagnation, a security organization must never stop growing. The security program must always improve and mature. Ideally, the organization should iterate between the implementation and operation stages in perpetuity. How can an organization accomplish this? Though not an exhaustive list, here are a few ideas:

See the forest for the trees: Sometimes organizations get so bogged down in day-to-day operations that they spend 100% of their time heads-down. Of course, there is much important work to be done. But sometimes, the reasons organizations are so busy is because of inefficiencies that could be improved. If those organizations spend all their time heads-down, they will be unable to see the forest for the trees. Allocate staff adequate time to come up for air, take a step back, and suggest improvements.

Question everything: Do so respectfully and constructively of course, but do so. If a process, decision, methodology, conclusion, or otherwise doesn’t make sense, question it. How many times have I asked someone the question: “Why do you do that?” only to hear “I don’t know – that’s the way it has always been done” as the answer. Why do something that doesn’t make sense just because it’s always been done?

Avoid being a hermit organization: To avoid stagnation, security organizations need to stay engaged with peer organizations and the broader information security community. Seeing what others are doing can provide us ideas, insight, and inspiration. Engaging with others can keep us on our toes. All great things if we are looking to avoid stagnation.

Introduce automation: Study processes and identify inefficiencies. Introduce automation to increase the efficiency of manual processes that are time consuming. This frees up human analyst cycles that can then be used to come up for air and see the forest for the trees as discussed above.

Stagnation does no one any good. Top talent exits. The security program weakens. The organization’s security posture declines. In the security realm, the odds are already working against organizations as it is. The last thing we need is stagnation. Don’t let the tree develop rings – make sure the security organization’s growing season never ends.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.