Classic Queen lyrics to introduce our next deadly sin of security architecture: greed. But this might not be the greed you think of first. I’m not talking about being greedy about getting our grubby security mitts on all the budget we can spend – or all the resources we can hire (assuming you’re not chasing mythical cybersecurity unicorns). I’m talking about being greedy for…
Controls.
Lots of controls (with a brief nod to Keanu Reeves in both The Matrix and John Wick 3).
As security, it seems we can’t seem to get enough of ‘em. If they’re out there, then someone’s bound to ask the question, “Why don’t you have X?”
And we do.
Want endpoint security?
Yep. We have 3 different vendors to do that—across only 2 basic platforms.
Why?
Because we can.
Want port filtering?
Sure. We got that.
Here…here….here….here….oh, and HERE, here and here!
We gotcha covered, Chief! And only one implementation isn’t enough.
Who cares if they fight with each other? The more the merrier.
During the VMWare presentation last year at RSA I watched via the archive, there was a reference to the CIO of Citibank saying that they used 250 different security vendors across their organization.
Are all those vendors really necessary?
Are they redundant—architecturally speaking?
I’ve no idea.
And you probably don’t either. Not because you don’t want to—but because it’s generally so hard to figure it all out.
As security, we’re often dealing from the bottom up. And even from starting from the bottom, we’re almost guaranteed to wind up in silos.
Silos of knowledge.
Silos of authority.
Silos of controls.
Why? Because we don’t really have a good view of what we have, what it does – conceptually speaking – and whether we actually have true defense-in-depth security.
The controls are there, and the vendors want to sell them to us—and we have a pretty fat security budget at times from being able to make a good case on FUD, so why shouldn’t we just go ahead and load on up with controls? What can possibly go wrong?
Unfortunately…a lot.
There’s a quote from the philosopher, psychologist and humanist Erich Fromm that goes:
“Greed is a bottomless pit which exhausts the person in an endless effort to satisfy the need without ever reaching satisfaction.”
Sure, he was also a socialist, but that’s not the point. The point is that as a security architect – especially one working in the lower architecture layers without a good view of the overall bigger picture of what the organization is trying to accomplish – it’s pretty easy to fall into being greedy about specifying policy requirements and deploying controls.
There’s a ton of risks out there, and there’s a ton of vendors who claim to mitigate those risks—not to mention all of those control standards, libraries and foxy frameworks people are expecting us to use, simply because they have some kind of “brand recognition” as best practice or what people should be doing.
And if you’re a security vendor – especially capitalizing on the FUD-factor that’s still alive and well, despite becoming more subtle and sophisticated – then you’re going to show how your XYZZY product does the most-est to cover all those risks.
But you’re skeptical of all the vendor claims, so you’d better buy two…just in case. And, after all, you can play the DiD card, so that if something happens, at least you can say you invested in controls, had the redundancy should one fail, and basically have an air-tight case for doing the right thing.
Or did you?
The point here is that control greed is often a symptom of a “spray and pray” approach to security. The thing is, if you look at the motivation behind this kind of approach, it’s often due to lack of proper training and/or a willingness or the skills to take the time to focus and make every shot count.
So the question becomes: are you making every control you recommend really count?
Are they necessary?
Are they relevant?
Are they cost-effective?
If you’d rather not have to guess about this anymore, there’s still a few hours left to make sure you’re subscribed in time to get the March issue of the Security Sanity™ print newsletter delivered right to your doorstep—free of charge, anywhere in the world. Because in its pages, you’ll find the answers for how to avoid slipping down the slope of control greed so that you stay focused on what it really takes to keep your organization safe while it goes about doing whatever it’s trying to do.
Just go to this link: https://securitysanity.com
Scroll to the bottom, and click the big yellow button with your credit card in hand before 11:59pm US/Eastern, and you’ll be sure you’re subscribed in time.
And then every single month after that, you’ll get all kinds of new ideas, insights and guidance on how to improve the effectiveness of your security program—and your security architecture efforts. But only if you subscribe.
Time is running out to get the antidote to all 7 of the deadly security architecture sins so you can start putting them in practice within minutes of devouring the issue.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
