Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/1/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
0%
100%

KISS, Cyber & the Humble but Nourishing Chickpea

The combination of simple, straightforward, and methodical ingredients are the keys to developing a balanced and well-rounded security program.

In recent years, hummus has become a trendy food. Once considered a mere dip-like side dish in many western countries, hummus has recently found a seat at the table as a serious and tasty main course option. It raises the question: What is it about hummus that has made it a star?

In my opinion, what sets hummus apart from other foods is its uncanny ability to be both simple and fulfilling at the same time. Hummus is humble, yet nourishing. It is plain, yet flavorful. It is inexpensive, yet filling.

To fully understand the magic of hummus, we need to break it down to its essence. While there are many different hummus recipes and varieties, the core ingredient of hummus is chickpeas — plain old garbanzo beans. Chickpeas have no need to get fancy or showy; they simply get the job done, time after time, with minimal cost and waste.

So, what does my obsession with hummus have to do with information security? More than you might initially be inclined to believe. Allow me to explain:

1. KISS: The KISS principle (Keep it simple, stupid!) states that most systems work best if they are kept simple rather than complicated. More often than not, there is a simple, straightforward way to solve a problem. If you design a solution that is cumbersome and overcomplicated, chances are you don't understand the problem well enough to solve it elegantly. There is almost never a need to get fancy. That merely creates an opportunity to introduce error unnecessarily.

2. Slow and steady wins the race: It may be tempting to chase after the item "du jour," or the latest fad in security, but during the course of my career, I've watched the quick rise and hurried fall of one trendy topic after another. At the end of the day, security teams need to remain focused on improving security posture and reducing risk. That involves applying people, process, and technology strategically over the long term and solving in a repeatable manner over time. Getting distracted by bright, shiny objects doesn't help in the least.

3. Minimize cost: It's always fascinated me how the default response to solving a problem almost always seems to be to throw more money at it. Obviously, proper funding is required to ensure that a security organization can accomplish its goals and that security challenges get addressed at scale. But what about when funding isn't the problem? Or, to ask the question differently, what about situations where problems can be solved by leveraging or optimizing existing investments? Looking to be frugal and resourceful, when appropriate, can be surprisingly effective. It's not always necessary to make large investments to get the job done. In fact, doing so can sometimes have exactly the opposite effect. How so? In the near term, it can divert resources and attention away from important work. In the longer term, it can introduce additional levels of complexity that will draw scarce resources away from other tasks.

4. Minimize waste: I've lost count of the number of times in my career that I've seen complex, expensive systems procured, deployed, operated, maintained, replaced, and then decommissioned. The cost of running through this process can grow quite large. Granted, risk changes, technology matures, and priorities adapt over time. But even taking all this into account, some technologies are discarded simply because they were procured three or four years ago. Does the age of a solution affect whether or not it can address a modern challenge? In some cases, perhaps. But instead of considering a technology's age, what if we considered its relevance to the goals and priorities we are looking to address? From this perspective, you might want to hold on to some of what you have before giving it the boot.

5. Cover the essential nutrients: A security program has many different limbs to feed, nurture, and sustain. It's important to take care of and provide for all of these essential elements in accordance with their needs. Focusing too much on one particular aspect of security comes at the expense of the others. A simple, straightforward, and methodical way to nourish all parts of the security program produces a far more balanced and well-rounded approach. There is nothing to be gained by focusing on a small number of elements, and in fact, there is quite a bit to be lost. When important security functions are neglected, the organization's security posture suffers.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0173
PUBLISHED: 2019-08-19
Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access.
CVE-2019-11140
PUBLISHED: 2019-08-19
Insufficient session validation in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVE-2019-11143
PUBLISHED: 2019-08-19
Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11145
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11146
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.