Over time, I’ve learned to ask the above quote pretty early when I start working seriously with a security team. And the main reason I ask it is that, once pressed to answer, almost every security team I’ve ever met is surprised by the answers they find.
Yesterday – well, in the wee hours of the morning actually, since I’ve now officially gone full-blown into my “temporal distancing” approach to actually get things done without interruptions – I was going through a bunch of statistics and reports, and one of the more sensible suggestions in something from KPMG was the following:
“Automation…is the most efficient course of action for organizations focused on addressing cyber risk expeditiously. Look for tasks that are manual and time-consuming and move aggressively to automate them.”
Good advice, right?
Except that the main driver for this advice was in response to chasing the cybersecurity unicorn nonsense of the lack of skilled cybersecurity professionals. As I said last year in the sample Security Sanity™ issue you get when you join this list, yes, you might not be able to find you definition of a cybersecurity professional, but that doesn’t mean you’re looking for the right ones either.
So, automation as a goal leads you directly into ending up with a talking snowman in a boat of ice, careening down a hill and almost being snorted by a sleeping stone giant. And, it does this, because if you haven’t figured out what you should really be doing and where the real bottlenecks are…
…you’re going to be happily spending bazillions on automating the wrong thing—and, as we know, you might trade the “I don’t have enough time to deal with [threats/incidents/projects/…]” lament with one that goes:
“I don’t have enough time to deal with all these false positive alerts and get any real work done!”
To their credit, the rest of the KPMG guidance stresses making sure your people are focused on the “right things”, but…
…what are those “right things”, exactly?
Is it making sure that you’re doing Threat Modeling each iteration of your DevOps delivery cycle?
Is it making sure you’re aggressively scanning for the most recent list of vulnerabilities that might be present in your environment?
Is it trying to figure out exactly what the hell is in your environment in the first place?
For you, and in your organization, I honestly have no idea what the detailed operational security tasks would be…
…and neither will you unless you have a clear picture of what it is you’re trying to protect, how it relates to delivering value to the organization and a risk-based view of where you need to pay particular attention vs. where it might be ok to let an incident or compromise play out until it hits a well-placed fire break.
Notice I didn’t say “firewall” on purpose…although you can certainly choose that particular mechanism to implement what I’m talking about.
But, fundamentally, what I’m talking about is recognizing what your security strategy really is. And despite what Tony Stark says as he jumps out of the back of the Quinjet after Thor and Loki, “I have a plan: attack!” isn’t a suitable strategy or plan of attack of any kind.
And yet, it’s unfortunately what lots of organizations do every day chasing “cybersecurity best practice” by trying to fill their control deployment bingo cards year-over-year.
It’s actually the same, because what happens when your card is full?
Are you “secure” just because you have all the controls?
It’d be pretty naive to think so.
But if you go about throwing automation around to give your team leverage and space to focus on more and better things, I’m gonna bet that’s a pretty likely place you’ll start.
Which brings us back to understanding where you’re spending your time every day. Because solving this problem has to burn both ends of the candle. You don’t have time to stop and get the strategy right. The business still needs to be protected, and, as we know, the bad guys don’t really take vacations.
There’s two reasons that security gets a bad name as “The Business Prevention Department”. The first reason comes from slowing down new projects, but I’m not going to talk about that one today.
The second one comes from operations, because people who are trying to get their jobs done are blocked when they encounter a security policy that runs contrary to the way they want to solve the business problem they face.
Now, maybe that’s on them for taking the “wrong” approach to the problem…
…and maybe that’s on us for not understanding that what we think is the “wrong” approach is actually what makes the most sense for the business.
But whatever the case, in one particular customer I was working with, the average time to complete the single task their security operations team did the most was over 2 months, but the average time it took to actually do the work was less than 2 weeks.
Now, is this where I would suggest they start with the automation I mentioned?
Again, I don’t know. A single data point does not an analysis make.
Maybe this particular task, since it was the most frequently performed, is the right one to try and automate. But maybe, the issue isn’t automating the task, since that doesn’t normally take that long. Maybe the issue is automating the workflow that happens before the task even gets started.
Or maybe….maybe the right place to start is in all those little “death by 1,000 cuts” types of tasks the team was trying to do in parallel, because maybe that’s where the issue was.
Or maybe, based on the real analysis of the risk exposure for their environment, they shouldn’t have even been worrying about taking ownership of that particular task at all, because – knowing their environment – probably 50-60% of those requests resulted in no added security value to the organization at all.
But they didn’t know that at the time…because they really didn’t understand where they needed to focus.
And, funnily enough, both those problems I mentioned earning security the badge of Business Prevention can be solved by the same thing—even if they’re not going to be immediately solved at the same time.
How would you solve the problem?
Do you even have this problem?
And if you do, are you happy with what you’re doing about it today?
If the answer to that last question is in the negative and there’s any question as to the answer to the first one, then maybe I can help. It’s what I do as part of the way we structure and deliver our premier Effective Security Leadership coaching and mentoring program for CISOs, security architects and managers of security functional teams. And, while I’m not going to guarantee anything I do will be able to help you, because there’s too many unknowns about where you are, what challenges you face and what you have to work with to make that call before we can talk about it…
…what I can say is that I’ve been officially working with organizations to help them enhance their security programs for well over 15 years. During that time, I’ve seen a lot of problems, but what I haven’t seen are nearly as many root causes. The bottlenecks teams face are often the same…regardless of the industry and regardless of where they happen to operate around the world.
If I can’t help you – and especially if I can’t help you right now due to any barriers you may be facing that would prevent being able to address the real problem you need to solve – then that’s exactly what I’ll tell you on the call. To do otherwise would be disingenuous and waste both our time.
But if I can, then we can talk about what that might look like and what kinds of results you’d be able to expect within the first 3-month sprint of the program.
To see if it’ll help you make sure you’re focused on the right things and spending the precious hours you have delivering tangible value to the business you can actually measure, you’re gonna need this link:
Andrew S. Townley
Archistry Chief Executive