I've always been a fan of the rather descriptive expression "boil the ocean." According to Investopedia, boiling the ocean is to undertake an impossible task or project, or to make a task or project unnecessarily difficult. More concisely, boiling the ocean generally means "to go overboard."
In security, we can learn a valuable lesson from this expression. Security is all about balance and pragmatism. Enumerating risks and threats to the organization while simultaneously prioritizing them. Seeking to mitigate risk while in parallel understanding the need to accept a certain amount of it. Building a security program even though some of the people, process, and technology involved may be missing or imperfect. Running security operations with an understanding that the conditions are never ideal. Balancing between business or operational needs and security principles. And so on…
In my experience, boiling the ocean does not allow an organization to improve its security posture. In fact, quite the opposite is true. So how can organizations turn away from ocean-boiling and toward a more pragmatic approach to security? I present "20 signs you are trying to boil the ocean."
1. Perfect is the enemy of good. I'm a big fan of the Pareto principle. Sometimes it is possible to roll out a solution that addresses most of what we need fairly quickly, even if it doesn't address everything. If we wait for that perfect solution, we might be waiting a long time.
2. Finding the problem in every solution. I've worked with some pretty impressive people over the course of my career who seem able to find a solution to nearly every problem they face. I've also worked with people who seem to find the problem in every solution they discover. The former helps organizations mature. The latter makes them spin their wheels endlessly.
3. Working in series rather than in parallel. Ever feel like you can't move forward on tasks B, C, and D until task A is completed? That may be the case in some instances. But in many cases, there isn't as much interdependence between tasks as you think. It is very often quite possible to work in parallel to move things forward.
4. Inability to find the path forward. If trying to move any effort forward seems like an endless series of dead ends, it could be a sign that a less complicated path may bring better results.
5. Paralysis. Organizational paralysis can be, well, paralyzing. If employees don't try and effect change because they feel that it is doomed to failure, it could be another sign of rampant ocean boiling.
6. Playing hot potato. When the answer is unknown, it's easy to just say no and pass the hot potato on to the next person. Putting aside ocean boiling allows organizations to identify what can be done, instead of what cannot be done.
7. Always looking for more data points. It's easy to put off a decision because you are waiting for more data points. At some point, you need to realize that you have just about all of the relevant data points you will ever have and make a decision.
8. Always waiting for something else to happen. In a similar manner, it's easy to put off a decision because you are waiting for something else to be completed. Sometimes there is a genuine need for this time of dependence, but often, it's another symptom of ocean boiling.
9. Looking for every out. Ever come across people who seem like they are just looking for every possible out or opportunity to dismiss an idea? No idea is perfect, but many ideas can develop into real-life solutions.
10. Waiting for more money. There will never be enough budget to do everything that needs doing. Prioritize and get moving.
11. Waiting for more time. See number 10.
12. Looking for the perfect hire. Everyone wants to hire a 20-year-old analyst with 10 years of experience. I'd also like to have a pet unicorn, but we can't always have what we want. Consider hiring bright, energetic, motivated, and analytical people and training them.
13. Drowning in false positives. Well, if I turn off my noisiest alerts, then I might miss something, so I'll just do nothing instead. Sound familiar? News flash: if you are drowning in false positives, you are missing something already. Figure out how to be alerted to more of the stuff you care about and less of the stuff you don't.
14. Stagnant on content development. Attacker techniques continually evolve. You will never arrive at the perfect signature, logic, or algorithm. Know when you have something good enough that gives you a good shot at identifying attacker activity without drowning you in false positives.
15. Processes and procedures are forever a work in progress. There will always be more that can be documented or documented better. But at some point, your team needs guidance and a path forward for a variety of different situations.
16. Inability to start a dialogue with executives. You will never be prepared enough for all the potential questions and points that executives might raise. But you need to be able to get enough of a story together to be able to discuss risk prioritization with executives and move your team's agenda forward.
17. Inability to make progress with the business. Security shouldn't be the team of no, nor should it inhibit the business. On the other hand, risk to the business needs to managed properly and minimized wherever possible. These may sound like contradictory points, but a pragmatic, collaborative approach to the business can make all parties converge to a workable solution.
18. Operations permanently stuck in ramp-up. I've seen lots of situations where security teams seem to ramp up for years on end. At some point, security operations must start, even if imperfect. A security program can always be improved iteratively once it is running day-to-day. That's much better than never getting anything off of the ground.
19. Inability to prioritize risk. Every risk seems like a top priority. But if we have limited resources, we have to make calculated choices. Otherwise, we spin our wheels forever.
20. Draconian policies. Ocean boiling is responsible for most of the draconian security policies I've seen over the course of my career. It helps to understand which policies and practices actually contribute to improving security, and which ones just make ocean boilers feel better.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio