Laziness is a Wonderful Motivator in Security

Security Teams Are Often Challenged to Run a Proper Security Program With Too Few Resources

One of my favorite English-language proverbs states: “necessity is the mother of invention.” The Oxford dictionary explains the meaning of this proverb as: “when the need for something becomes imperative, you are forced to find ways of getting or achieving it.”  As you might have already guessed, I believe we can learn an important security lesson from this proverb.

At a high level, our goal in security is to manage, mitigate, and minimize risk.  In an ideal world, we would enumerate the list of risks and threats we are concerned about and allocate the necessary resources to properly address them.  Of course, we don’t live in an ideal world. Most security teams feel this quite acutely in the form of resource constraints. Whether considering time, money, personnel, or any combination of the three, there just never seem to be enough resources to address the challenges at hand.

It is precisely because of this that laziness is a wonderful motivator in security. Or, rather, not laziness per se, but a constant need to do more with less. The ever present need to run a proper security program with too few resources. This necessitates inventing ways to work smarter, rather than harder. This necessity is the mother of invention in the security field.

It is in this spirit that I offer a few ways in which organizations can work smarter, rather than harder to improve their information security postures in a resource-constrained environment:

● Focus:  As you might imagine, staying focused on the right things is an important part of making optimal use of resources.  Sure, that sounds great, but what does that actually mean?  How does an organization know where to invest and allocate resources?  While there are different ways to approach this question, I prefer to take the approach of looking at value-add.  A security organization that looks introspectively at how it spends its resources (time, money, and personnel) across different activities is one that can evaluate those activities for the value-add they provide to the security organization.  Activities that consume significant amounts of resources but don’t help improve the organization’s security posture should be examined very closely.  Why are these activities being performed?  Perhaps there is a regulatory requirement or some other reason.  But I’ve seen plenty of instances where there was not really any good reason for a given activity.  And in those cases, the resources dedicated to the activity are best allocated elsewhere.

● Get organized:  I’ve known some disorganized people in my life.  You know the type.  The ones who can never find their car keys when it’s time to leave.  Or the ones who can’t remember where they put their wallet.  Or where they put the materials they need for that important meeting coming up.  Disorganized people often feel like they are extremely busy and can often be overwhelmed.  What they may not realize is that they often spend an inordinate amount of time looking for things or trying to remember what needs to get done.  Organized people, on the other hand, spend most of their time simply doing what needs to be done.  The same is true of security programs.  The more organized the security program, the more it will be able to do with the resources it has available to it.  In security, time wasted on disorganization is time taken directly away from mitigating risk.

● Prioritize:  Have you ever stared at a to do list and thought to yourself, “There is so much to do that I don’t even know where to begin”?  And how much work gets done while you’re staring at the list?  Not very much, right?  In security, the to do list is always very long.  Stop staring at it and get to prioritizing.  Pick a few activities that are of the utmost importance and highest priority in terms of mitigating risk and start there.  Have secondary and tertiary lists ready for any resources that may free up.  Prioritize activities and get moving on those at the top of the list.

● Less is more:  I’m a big fan of the less is more philosophy.  Why have numerous overlapping and redundant technologies?  Why not rely on fewer technologies with little to no overlap?  Why collect many different types of highly specialized data sources?  Why not collect fewer, more generalized data sources to provide the same level of visibility with reduced complexity?  Why bombard your work queue with a high number of alerts with low fidelity and little value?  Why not send fewer alerts with high fidelity and high value to the work queue?  The list of examples goes on and on. But the principal remains constant. And in security, I’ve learned that in many cases, less is more.  Reducing complexity reduces the number of resources required to operate and maintain that complexity.

● Automation: Certain areas within security involve tedious, manual, or time-consuming tasks. If these tasks add value to the security program and work towards improving the organization’s security posture, they could be good candidates for automation.  Why sink resources into supply-chain risk assessment when an automated Vendor Risk Management (VRM) platform can be leveraged?  Why perform security operations and incident response manually when certain aspects of the process can be automated?  There are many ways in which automation can be introduced.  The key is finding ways in which automation can be used to alleviate the strain on resources.

● Don’t reinvent the wheel: When you encounter a challenge in security, chances are you’re not the first person trying to address it. This is where having a strong peer network and other resources to turn to can help tremendously. Why allocate scarce resources to reinventing the wheel?  Why not leverage work that has been done previously to save time, money, and labor?  That frees up resources that can be allocated to some of the other challenges at hand.