KISS, Cyber & the Humble but Nourishing Chickpea The combination of simple, straightforward, and methodical ingredients are the keys to developing a balanced and well-rounded security program.
In recent years, hummus has become a trendy food. Once considered a mere dip-like side dish in many western countries, hummus has recently found a seat at the table as a serious and tasty main course option. It raises the question: What is it about hummus that has made it a star?
In my opinion, what sets hummus apart from other foods is its uncanny ability to be both simple and fulfilling at the same time. Hummus is humble, yet nourishing. It is plain, yet flavorful. It is inexpensive, yet filling.
To fully understand the magic of hummus, we need to break it down to its essence. While there are many different hummus recipes and varieties, the core ingredient of hummus is chickpeas — plain old garbanzo beans. Chickpeas have no need to get fancy or showy; they simply get the job done, time after time, with minimal cost and waste.
So, what does my obsession with hummus have to do with information security? More than you might initially be inclined to believe. Allow me to explain:
1. KISS: The KISS principle (Keep it simple, stupid!) states that most systems work best if they are kept simple rather than complicated. More often than not, there is a simple, straightforward way to solve a problem. If you design a solution that is cumbersome and overcomplicated, chances are you don't understand the problem well enough to solve it elegantly. There is almost never a need to get fancy. That merely creates an opportunity to introduce error unnecessarily.
2. Slow and steady wins the race: It may be tempting to chase after the item "du jour," or the latest fad in security, but during the course of my career, I've watched the quick rise and hurried fall of one trendy topic after another. At the end of the day, security teams need to remain focused on improving security posture and reducing risk. That involves applying people, process, and technology strategically over the long term and solving in a repeatable manner over time. Getting distracted by bright, shiny objects doesn't help in the least.
3. Minimize cost: It's always fascinated me how the default response to solving a problem almost always seems to be to throw more money at it. Obviously, proper funding is required to ensure that a security organization can accomplish its goals and that security challenges get addressed at scale. But what about when funding isn't the problem? Or, to ask the question differently, what about situations where problems can be solved by leveraging or optimizing existing investments? Looking to be frugal and resourceful, when appropriate, can be surprisingly effective. It's not always necessary to make large investments to get the job done. In fact, doing so can sometimes have exactly the opposite effect. How so? In the near term, it can divert resources and attention away from important work. In the longer term, it can introduce additional levels of complexity that will draw scarce resources away from other tasks.
4. Minimize waste: I've lost count of the number of times in my career that I've seen complex, expensive systems procured, deployed, operated, maintained, replaced, and then decommissioned. The cost of running through this process can grow quite large. Granted, risk changes, technology matures, and priorities adapt over time. But even taking all this into account, some technologies are discarded simply because they were procured three or four years ago. Does the age of a solution affect whether or not it can address a modern challenge? In some cases, perhaps. But instead of considering a technology's age, what if we considered its relevance to the goals and priorities we are looking to address? From this perspective, you might want to hold on to some of what you have before giving it the boot.
5. Cover the essential nutrients: A security program has many different limbs to feed, nurture, and sustain. It's important to take care of and provide for all of these essential elements in accordance with their needs. Focusing too much on one particular aspect of security comes at the expense of the others. A simple, straightforward, and methodical way to nourish all parts of the security program produces a far more balanced and well-rounded approach. There is nothing to be gained by focusing on a small number of elements, and in fact, there is quite a bit to be lost. When important security functions are neglected, the organization's security posture suffers.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio