Security Experts:

The Security Program Approach is Hard, But Necessary

As part of my day job, I have the distinct pleasure of studying enterprise security programs – or at least slices of them – in their native habitat. I spend time with CISOs and other security leaders at many different levels to understand, learn from and aggregate the successes, failures and lessons from these security program elements. Before I even embarked on this role, I was known to lament the difficulty of putting together a solid security program. Now, after just over a year in this role, I fully recognize the problem is much larger than I could ever have imagined.

The team I lead is fueled by classical research, which means we go out “into the field” to study various aspects and components of security programs. We take something like cloud security and figure out how companies are putting a program around securing their cloud consumption and what others can learn from their successes and failures. It is in this field work that I’ve noticed some undeniable patterns.

CISO LeadershipFirst, there is a general perception problem with the security program approach. Security today must be agile and adaptive, and security programs – at least the way many of us see them – are none of those. The perception is that a security program approach is slow, requires heavy investment in resources and is rigid. Agility and ability to adapt aren’t high on the list of things security programs are good at. But why not?

I believe that part of that misconception is tied to some of these hundred-plus page control frameworks that require enormous time commitments to implement and, once they’re in place, require an act of Congress to modify. Whether you’re following ISO, NIST or SANS, the program frameworks have largely failed us. Either they’re too prescriptive and don’t apply, or they’re too loose and don’t really say anything; or sometimes they’re so long that by the time you’re done reading you forgot why you started in the first place.

Your security program should be like a fine tailored suit – it should fit you well, imperfections and all, while allowing for your movement and give a little when you have a second helping of mom’s chicken parmesan.

The second thing I have noticed during my time in the field is there is a belief that using a program approach requires a significant staffing model for your security team. However, this simply is not true. I have talked with several CISOs who are happy to share their success stories of building a security program, with several well-operationalized sub-components as well as a blend of staff, contractors and trusted partners. The model works, and while it does not universally apply, there are solid ways to get value.

Most of a company’s security program elements should have three pieces – those you build, those you buy and those for which you find a partner to help you manage. You can’t do it all yourself— mainly because it’s not possible in most cases—but you shouldn’t give it all to someone else either. There are healthy mixes, which depend on the type of enterprise, market vertical and revenue model.

Finally, there is the one that causes the most sleep loss – the “all we need is widgets” approach. I’ve always been leery of those who disparage vendors. Your solution providers speed up time-to-value, and increase your scale and repeatability. This bears repeating, and I can attest to the fact that it is mostly true. When I talk to an organization and ask them how they’re handling their enterprise vulnerability reporting or threat intelligence, and they tell me they have it handled because they have purchased the Magic Security Widget 10,000, it gives me pause.

Solution providers are just as complicit in this situation as anyone else though. We’ve been inundated for a decade and a half on the buyer side by marketing pitches that have promised us miracles, yet we continue to struggle. As a result, security professionals fell into one of two reactions. Either they bought into this “widget first” thinking and started piling on the shiny boxes, or they become snarky and skeptical. A widget – even if it’s best of its breed – without purpose or a strategy around it will fail to deliver value. I can virtually guarantee you this.

Centering your defenses on a widget that promises you the world is a recipe for disaster. We advocate that strong program approach which takes into account the human and process aspects of the tool, and then ensures the space between inputs and outputs is not magic. In many large enterprises is it an order of magnitude easier to drop a tool into place and start using it without taking the time to design a program around it. The perception that you get to value faster is false and leads to failures.

The program approach then is the more difficult path. It’s potentially more time consuming, resource intensive and costly than the alternative. Then again the alternative is just to jump in and “do something.” I’m sure you’ve heard that one before. “Just do something” is a short-term fix that often leads to big long-term problems.

Whether you’re a believer or a skeptic, the program approach to security challenges is the only way. Planning, implementing then maturing and measuring are slower and more resource-intensive in the near term but, ultimately, pay dividends in the long term. It just takes patience and a little experience – and if you have neither of those you can always learn directly from others before you. The alternative, sadly, is more of status quo.

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.