There was a day I remember listening to a story about “cutting corners”. There was a construction company owner who used to have his machine operator dig ditches with walls shaped straight up and down. The problem with walls like this is that due to lack of support, they have a tendency to collapse, which is not good for humans who may be working in there.
One day he heard the sound of yelling, someone running, and looked into the hole as one of the workers sprinted on top of the concrete pipe that had just been laid in the trench. The worker leaped off the pipe when he reached the end of the trench, just in time before the trench collapsed.
Pheww! The owner and the worker dodged a bullet there!
Now the point of this story being told to me was the importance of avoiding cutting corners.
Now a ditch digger/operator, when excavating the trench, has the option to make them safer (like in the picture below, for example). You can erect barriers to support the walls, or build out the sides. This costs money, and depending on the risk you are willing to take, you may be in favor of absorbing lower costs and higher risk.
Decisions in isolation, versus decisions with layers of complexity.
In isolation you can make good decisions. So, where do things fall apart?
When you build up the complexity of various security technologies; fluid architecture; design; business requirements that never slow down; multiple opinions from staff; consultants; auditors, etc., this is where you make mistakes. This is where you (and everyone) lose track of where you are.
Handling 1-10 discrete IT Security decisions is manageable. But when you attempt 20, 30, 40, and 60 + (All small to medium -environments have 60+), you are getting lost. I know this because I see it.
It matters not whether you anoint someone as the CISO, or “your guy in charge of IT Security”. Regardless of who you assign IT Sec responsibilities, they are getting buried.
As I think further, I wonder…
“Are you building a straight wall ditch in your IT Security environment, or one with curved safe edges?”
However, I understand why this is happening to you. It is a necessary evolution as we move more and more processes into digital form, and on top of this moving non-physical assets into the cloud.
I get angry because with a physical object like a construction site OSHA, government agencies, project manager, auditor, AND your boss, can see the issue of safety and risk; It is clear and right in front of your face.
IT Security is more difficult because it is made up of mostly non-physical attack surfaces. For the most part you are facing a battle of bits and bytes: ephemeral and non-physical elements.
The order of magnitude is too wide and complicated.
So how do you know if you are cutting corners?
You don’t …
But… Here is how you get control of your enterprise:
- Make sure you have a clear and visible view of your actual security posture across all risk categories.
- Don’t make decisions in isolation anymore.
- With overlapping features and functions of Security Technologies, you need to be able to see and visualize the broad impact across all domains.
- Have a complete consolidated risk summary of actual risk in your organization to give yourself a defensible argument.
Here is the type of chart you need to see as the IT Business decision-maker, regardless of your title. You need to see breadth and width in order to win both auditor and ‘real’ IT security battles.
Listen to no one, except your own wise analysis, based on a defensible framework that assesses all your needs at one time.
Bill Murphy is the founder in 2001 of RedZone Technologies, a world class IT Security Assessment company. RedZone helps you combat auditors and others who may be preying on your perceived weaknesses. The team at RedZone are experts at turning perceived audit vulnerabilities into offensive advantages.
Reduce the Ceiling of IT Security Complexity with the CIO Security Scoreboard. Learn more here