Security Experts:

The Devil You Know - How Idioms Can Relate to Information Security

The Mirriam-Webster dictionary defines the idiom “better the devil you know than the devil you don't” as “it is better to deal with a difficult person or situation one knows than with a new person or situation that could be worse.”  I’d like to examine this particular idiom, investigate its meaning more deeply, and understand how it relates to information security.

At a high level, this idiom seems to state that inertia is a virtue. That it’s best to stay with what’s known and tested. Why move away from what’s comfortable, and at least at some level, seems to work?  As the old saying goes “if it ain’t broke, don’t fix it.”

At face value, this idiom and the philosophy it touts may seem like the winning strategy. While it certainly may be a wise way of looking at things in some cases, that isn’t always the case. Why?  In some instances, it is precisely because we are so familiar and comfortable with something that makes us incapable of seeing that there is a better way. Sometimes when we’re in the thick of something, we’re unable to see the bigger picture of what is truly going on. Or, as the expression goes, we “can’t see the forest for the trees.”

Along these lines, there is a well-known Yiddish proverb that states that “when a worm sits in horseradish, it thinks there is nothing sweeter.” In other words, if all you know is horseradish, you have no idea that there is a whole world of far sweeter things out there that awaits you.

So what do all of these idioms, expressions, and proverbs have to do with information security? Quite a bit. In security, it’s important to know when to stay with what’s comfortable and familiar, and when it’s time to see what else is out there that awaits us. How can a security team understand when to take which approach? To examine this question, I offer five guidelines to help security organizations understand when to stay with the known, versus when to move on to the new.

1. Risk: Managing, mitigating, and minimizing risk should be on the mind of the security professional at all times. Understanding how to properly identify, enumerate, and assess risk are important and necessary precursors to managing, mitigating, and minimizing it. If an organization does not or cannot understand the risks and threats it faces, that is a sign that a new approach is needed. Further, if an organization is not able to get a handle on its risk, that is also a sign that a new approach is needed. In either case, the current strategy, or perhaps lack of strategy, isn’t bringing about the desired results. The organization needs to seek out a different path in order to control its risk in a more appropriate way.

2. Objectivity: Introducing more objectivity into a security program and reducing its subjectivity is always a positive. Paths that lead to more objectivity in security should always be encouraged. If an organization doesn’t succeed at making its security program more objective, or if the security program seems to be getting ever more subjective, it’s a sign that the time has come to shake things up. Out with the too-subjective-old and in with the more-objective-new.

3. Stagnation: Regardless of where along the maturity curve a security team finds itself, it needs to continuously strive to improve. If the security posture of the organization is improving, and if the security team is maturing, the ship is headed in the right direction, regardless of where it set sail from. But should a security organization find itself stuck in neutral, it’s time to change tactics. Stagnation is one of the most significant indicators that the familiar needs to be a thing of the past.

4. Drowning: I don’t know too many security teams with idle time and spare resources on their hands. That being said, there are those teams that seem to be able to keep up with the changing threat landscape and the tasks at hand, while there are others that seem to constantly find themselves underwater and falling behind.  When a security team is drowning, it’s an opportunity to take a step back and try to understand why this is the case. Is time being spent on tasks that don’t add much value to security operations or reduce much risk?  Are there inefficiencies that can be addressed?  Do the security team’s tools not fit the tasks at hand?  Is significant time being spent on manual steps that can be automated?  Are there organizational, bureaucratic, regulatory, or other stumbling blocks keeping productivity at bay?  In these and other examples, drowning is an indication that the time has come to work smarter, not harder.

5. Fad: We’ve all seen the rise and fall of “bright, shiny objects” in the security market. If something seems too good to be true, it probably is. Or, alternatively, if there doesn’t seem to be any logic behind why everyone is running in a given direction, it probably isn’t a good direction to run in. If it isn’t clear how a trend will strategically and methodically help an organization reduce risk and improve its security posture, it’s best to pass on it.  In the case of a fad, stick with the devil you know.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.