Always reach for defense in depth with proposed security changes. Measure and test results, focus on items of greatest impact, and get C-suite members involved to drive better outcomes.

Ben Johnson, Chief Security Strategist, Bit9 + Carbon Black

June 12, 2023

4 Min Read
Padlock on a digital background
Source: Skorzewiak via Alamy Stock Photo

The first half of this two-part article is here: "Cyber Essentialism & 'Doing Less With Less'"

With the RSA Conference in the rearview mirror, we have to ask ourselves, does the show floor actually lead to better risk management and/or risk reduction? It seems like a silly question, but with how many millions of dollars are spent on that show floor, if we cannot definitely plant a stake in the ground and shout, "Absolutely," then there's a huge problem with our industry. For me, I'm not sure I can shout, "Absolutely."

To follow up from our previous article about cyber-essentialism and doing less with less, let's continue to look at how we can help our own teams make sure we're providing functional value to our organizations.

It's Supposed to Be Defense-in-Depth, Not Expense-in-Depth

We know the drill — install a bunch of security products, get value from some, continue to tune, tweak, point our teammates at them, and then add more in a repetitive cycle. Let's fix this.

Recently, I saw an article about how SpaceX tries to optimize its processes, and the first thing the people try to do is remove a step. After all, if you can remove a step, why would you optimize it? So can you remove anything from your stack? Is your company moving to the cloud yet you somehow won't let go of that network monitoring solution for your offices? Do you still have 20 agents running on each Windows machine? Are you installing a specific firewall or proxy for just one business unit or legacy application?

The need doesn't have to be zero before you remove something, It's OK to decide to no longer spend hard-fought security dollars on something when IT or the business just needs a nudge to modernize or change its approach. Be creative, but ultimately make sure it is always defense in depth, not expense in depth.

Have Confidence in Your Defenses

Have you seen movies like Apollo 13 or The Martian where the control room asks, "Could this be instrumentation failure?" For you, in your security program, if you're seeing something unexpected, could you determine if your tooling, data, or intelligence is off? If you can, can you do it quickly?

Beyond being able to detect "instrumentation failure," you should be conducting validation tests and performing red-teaming to make sure you actually can detect, block, or eradicate, or have evidence of the things you believe you can manage. "The more you sweat in here, the less you bleed in the streets," as the saying goes.

Doing less with less should mean that fewer things can be done at an extremely high level of quality and assurance — so make sure you are measuring and testing.

Conduct a Business Value Assessment

Quantifying value (or risk) is hard, but enduring those hard yards can set your organization up for prolonged, sustainable growth. It starts with quantifying what impact your tools are having. A few areas to home in on include:

  • How much they are hardening your environment

  • The importance of what they are protecting

  • The rate at which they are accelerating detection and response

  • Whether they're building in default ways of being more secure without employees having to change workflows

At some point, you should be able to rank all the "things," draw a line of how much you can spend or manage, and then focus on the stuff that has the greatest impact. Do you remember essentialism, which is to operate at the highest point of ROI? That's what we are talking about here — we're just trying to do it with data instead of a feeling or 20 years of legacy deployment "comforts." Focus on what matters, and defend it well.

Force the Business to Care

If a business unit deploys a tool such as Salesforce or ServiceNow, it stands to reason that it should have some (if not all) of the responsibility for deploying it safely and securely. Though businesses might not have all the skills and experience, it's important to make the distinction that security is a guide that can offer a sanity check, but it's ultimately not solely responsible for all the security aspects of the app. We need the business to care.

Beyond business units and specific applications, when was the last time you asked various C-suite members what they thought were the biggest cyber-risks? Or what they thought the crown jewels are? Table-topping and interviewing are great ways to try to align resources and commitments and allow you to focus on less (and therefore, hopefully, do less) but have a larger impact on defending what matters. If you have worked on your own business value assessment, share this information and get input from others who have different perspectives and mental models. Collaborate and prioritize together to drive better outcomes.

Cybersecurity as a Driver of Value

Doing less with less in cybersecurity demands a collaborative and methodical approach to allocating resources. That means regularly reviewing the state of your security tools and how they're working for the organization as well as making sure you have buy-in and alignment from the C-suite. Money spent on security isn't a marker of security posture's strength. It's about using those dollars on solutions processes that suit the organization's needs to promote sustained growth.

About the Author(s)

Ben Johnson

Chief Security Strategist, Bit9 + Carbon Black


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights