Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Risk Management

The Devil You Know – How Idioms Can Relate to Information Security

The Mirriam-Webster dictionary defines the idiom “better the devil you know than the devil you don’t” as “it is better to deal with a difficult person or situation one knows than with a new person or situation that could be worse.”  I’d like to examine this particular idiom, investigate its meaning more deeply, and understand how it relates to information security.

The Mirriam-Webster dictionary defines the idiom “better the devil you know than the devil you don’t” as “it is better to deal with a difficult person or situation one knows than with a new person or situation that could be worse.”  I’d like to examine this particular idiom, investigate its meaning more deeply, and understand how it relates to information security.

At a high level, this idiom seems to state that inertia is a virtue. That it’s best to stay with what’s known and tested. Why move away from what’s comfortable, and at least at some level, seems to work?  As the old saying goes “if it ain’t broke, don’t fix it.”

At face value, this idiom and the philosophy it touts may seem like the winning strategy. While it certainly may be a wise way of looking at things in some cases, that isn’t always the case. Why?  In some instances, it is precisely because we are so familiar and comfortable with something that makes us incapable of seeing that there is a better way. Sometimes when we’re in the thick of something, we’re unable to see the bigger picture of what is truly going on. Or, as the expression goes, we “can’t see the forest for the trees.”

Along these lines, there is a well-known Yiddish proverb that states that “when a worm sits in horseradish, it thinks there is nothing sweeter.” In other words, if all you know is horseradish, you have no idea that there is a whole world of far sweeter things out there that awaits you.

So what do all of these idioms, expressions, and proverbs have to do with information security? Quite a bit. In security, it’s important to know when to stay with what’s comfortable and familiar, and when it’s time to see what else is out there that awaits us. How can a security team understand when to take which approach? To examine this question, I offer five guidelines to help security organizations understand when to stay with the known, versus when to move on to the new.

1. Risk: Managing, mitigating, and minimizing risk should be on the mind of the security professional at all times. Understanding how to properly identify, enumerate, and assess risk are important and necessary precursors to managing, mitigating, and minimizing it. If an organization does not or cannot understand the risks and threats it faces, that is a sign that a new approach is needed. Further, if an organization is not able to get a handle on its risk, that is also a sign that a new approach is needed. In either case, the current strategy, or perhaps lack of strategy, isn’t bringing about the desired results. The organization needs to seek out a different path in order to control its risk in a more appropriate way.

2. Objectivity: Introducing more objectivity into a security program and reducing its subjectivity is always a positive. Paths that lead to more objectivity in security should always be encouraged. If an organization doesn’t succeed at making its security program more objective, or if the security program seems to be getting ever more subjective, it’s a sign that the time has come to shake things up. Out with the too-subjective-old and in with the more-objective-new.

3. Stagnation: Regardless of where along the maturity curve a security team finds itself, it needs to continuously strive to improve. If the security posture of the organization is improving, and if the security team is maturing, the ship is headed in the right direction, regardless of where it set sail from. But should a security organization find itself stuck in neutral, it’s time to change tactics. Stagnation is one of the most significant indicators that the familiar needs to be a thing of the past.

Advertisement. Scroll to continue reading.

4. Drowning: I don’t know too many security teams with idle time and spare resources on their hands. That being said, there are those teams that seem to be able to keep up with the changing threat landscape and the tasks at hand, while there are others that seem to constantly find themselves underwater and falling behind.  When a security team is drowning, it’s an opportunity to take a step back and try to understand why this is the case. Is time being spent on tasks that don’t add much value to security operations or reduce much risk?  Are there inefficiencies that can be addressed?  Do the security team’s tools not fit the tasks at hand?  Is significant time being spent on manual steps that can be automated?  Are there organizational, bureaucratic, regulatory, or other stumbling blocks keeping productivity at bay?  In these and other examples, drowning is an indication that the time has come to work smarter, not harder.

5. Fad: We’ve all seen the rise and fall of “bright, shiny objects” in the security market. If something seems too good to be true, it probably is. Or, alternatively, if there doesn’t seem to be any logic behind why everyone is running in a given direction, it probably isn’t a good direction to run in. If it isn’t clear how a trend will strategically and methodically help an organization reduce risk and improve its security posture, it’s best to pass on it.  In the case of a fad, stick with the devil you know.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights