Several years ago, I used to give a talk called "Cyber Essentialism." It's modeled after my favorite book, Essentialism: The Disciplined Pursuit of Less, by Greg McKeown (Currency; 2014), which tries to convey that we all need to focus on the vital few things instead of the trivial many. It's not easy — plowing through emails feels like you're getting more done, even though you might not actually be moving any needles. Doing lots of little quick, low-hanging "fruit" might also feel great, but is that truly having an impact? Sometimes, sure, but all too often we are all focused on the trivial many instead of the vital few — thus the need for essentialism.
With cybersecurity, essentialism is more necessary than ever. Back in 2016 when I put together my presentation, teams were understaffed, overburdened, and facing a challenging dynamic IT landscape to defend. Sound familiar? We're still in this same situation, only now teams are being asked to scrutinize their capex and opex even more while seemingly having an even bigger surface area to defend each year. To put it in the words of the CISOs at a recent dinner — "do less with less."
So, what are some things you can do? Read on and give yourself some forced reflection time after doing so.
Start With Strategy
Peter Drucker once wrote, "efficiency is doing things right, effectiveness is doing the right things." This sounds very much like essentialism to me. Regardless, the need to figure out the "right things" is critically important. This is starting to move our thinking toward "strategy," but that word is often overused. Perhaps another one of my favorite books, Good Strategy, Bad Strategy: The Difference and Why It Matters (Currency; 2011), by Richard Rumelt, can shed some light.
As the author wrote, the kernel of a strategy is really three things: a hypothesis, a guiding policy, and a set of concrete steps. This is where so many of us get it wrong — we don't consider what our hypothesis and guiding policies are! What's your security program hypothesis?
From here, what's the guiding policy that you can utilize for both micro and macro decisions? Maybe decentralize as much as possible? Automate everything? Monitor as much as you can?
"Culture may eat strategy for breakfast," as the saying goes, but an amazing culture and team playing the wrong spot or going in the wrong direction won't create a dynasty (or an effective security program!)
Establish and Reinforce Culture
Once you have a strategy in place, it's time to rally the troops. Promote that guiding policy that aids in decision-making and stands as a reminder of how best to prioritize tasks, people, and energy.
As you hire, it's all about the team and processes, events, and other aspects of execution that reinforce the strength of the team. Furthermore, the traits of your teammates need to be about team first, ego second (or … last). And you can't just roll out some terms or a poster and assume culture is taken care of — it's an ongoing reflection of what behavior is promoted (and allowed), what traits are effective in making your business successful, and where leadership chooses to spend its time.
Focus Security Time and Energy
Of course, everything we just said is a never-ending process, but let's assume you have a strategy and a culture that will charge into battle in pursuit of it. It's time now to think about everything in security, as you have a supply of time, and all risk reduction is demand for that time. How will you balance supply and demand? Too often we get caught up in advanced technology, or new threats, or other ways of over-thinking that security is really a supply-and-demand equation.
Want to spend less time on investigations? Harden your environment and work on the cyber hygiene of your population. Want to patch fewer systems? Deploy fewer systems or utilize platform-as-a-service (PaaS) or software-as-a-service (SaaS) where you have less of that work to do. If you can break down these various strains on your supply of time, you can find ways to move the needle.
Remember, we all need to, in all things in life, focus on the vital few versus the trivial many. Security is a great reminder of this because it feels as though the security team in each company is often the most-stretched team, with all parts of the business adding surface area and pressure. If we think about everything as the vital few versus the trivial many, and then we work to maximize the supply-versus-demand equation, we have a fighting chance.
In part 2, we dive a bit deeper into some specific things I recommend you do immediately: Doing Less With Less: Focusing on Value