Security Experts:

Security Lessons Learned From Adopting a Pound Dog

About a year ago, we adopted a pound dog named Nala. She was about three months old when we got her. When we first met her, we immediately picked up on her sweet personality and her eagerness to please. With some training and a lot of love, those traits have remained, and she has grown into a beautiful, well-behaved dog.

Nala is a mutt. We know that her mother was a Rottweiler, and the pound believes that the father may have been a Belgian Shepherd based on the way Nala looks.  As many of you know, there are so many beautiful and sweet pound dogs that need homes.

At this point, you may be asking yourself what Nala has to do with security. That is a fair question. To help answer it, I’d like to share five security lessons that my daughter taught me during a recent conversation on the topic.

1. Real is better:  There is something very real about a pound dog. Maybe it stems from their need to be adopted lest they face a bleak future (to put it mildly).  Or maybe it is because they aren’t heavily marketed and don’t come all neatly packaged up. In any event, in security, and particularly when it comes to security solutions, it’s important to see through the hype and fluff and understand the true essence of what is being offered. Is it real?  Will it help you mitigate risk and increase your security posture?  Does it address gaps or priorities you’ve identified? Those are what is truly important, and it is important to find a way to understand what you are truly getting with any given solution.

2. SaaS is preferred:  Pound dogs are kind of like Dog-as-a-Service (DaaS). They don’t ask for an up-front payment, and they are eager to prove their value to you month after month.  In a similar manner, SaaS is a great model for security solutions.  It encourages vendors to provide value on an ongoing basis in exchange for a subscription fee.  It also encourages vendors to be adaptive, responsive, and flexible when it comes to customer needs. After all, without the lock-in of a traditional enterprise license, the buyer has a lot more say in getting the security solution that works for their organization.

3. ROI is king: When someone adopts a pound dog, they don’t need to worry that they are funneling money into something that will create more problems (i.e., more stray dogs).  Instead, it’s quite the opposite.  In security, we need to ask ourselves the question: Why continue to fund “solutions” that create problems rather than solving them?  Instead, we should enumerate our top challenges each year, prioritize them, and then go about solving those challenges to which we’ve assigned the highest priority.  If we find ourselves continuing to fund processes or technologies that don’t solve problems for us, we should reconsider those investments.

4. Health is important: Purebred dogs are known to be predisposed to certain health problems due to inbreeding.  Pound dogs, on the other hand, are generally less inbred and are thus less predisposed to certain health problems.  In security, we need to be wary of relying too heavily on one type of control, mitigation, or defense.  We also need to be wary of being lulled into a false sense of security by one or a few vendors who assure us that they have our bases covered.  We need to ensure that we cover as many potential attack vectors, risks, and intrusion vectors as possible, and that we constantly push our vendors to integrate with other vendors that solve different problems that are equally as important to us.  If we find ourselves too “inbred” in terms of our security measures, we could end up lowering our security posture and raising our level of risk, rather than the opposite.

5. Gratitude: Perhaps I’m crazy, though I do believe pound dogs remember where they came from and are grateful and loyal to their owners. Similarly, when a security team goes with an honest, hardworking vendor that invests in actually solving problems more than they do in marketing collateral that talks about how they solve problems, that vendor will be loyal and grateful. The result will be solutions that work harder for your organization and do more of what you need them to do, without a sense of entitlement and without a poor attitude.

In summary, consider adopting a pound dog if you haven’t already. And also, think about how you can apply the lessons above to your security organization. You won’t be barking up the wrong tree - I promise.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.