You Can Be Profound, or You Can Be Effective—Pick One

The pressure to be profound is such a stumbling block in our industry. It emphasises the sophisticated over the simple, but almost always the latter is more effective in security. For example, we love to focus on “controls”, but you can’t define a control until you have first defined a control objective. What (specifically) is the control controlling? How will you know (quantitatively) if it is or isn’t achieving that objective?

You’d be forgiven for assuming this happened by default, but security programmes all over the world, enabled by the security vendor industry, are literally built on the backs of technical controls with amorphous (or absent) control objectives. “We need Widget X, but we have no idea how to measure Widget X’s efficacy—we just know that we need it, because of Threat Y.”

Which makes for interesting conversations, when it’s time for a change. All the time organisations ask Microsoft to quantitatively demonstrate the efficacy of our security products (which is fair), but very rarely (and I mean very rarely) does anyone have the same data for the incumbent technology. We may well run a bake-off now to compare performance, but who was asking the hard questions about performance against objectives the last 3 years?

No one, is the usual and honest answer. For many, the last time that was assessed was when they did the previous bake-off 3 years ago, which led to the current incumbent. Our industry is scarily-reliant on flimsy point-in-time snapshots which set multi-year trajectories.

Since then, the presence of the control has justified its own existence, simply because of its association with some (equally amorphous) risk scenario. Whether or not risk was reduced by this control in a quantifiable way over time, no one knows—even though that was the (unstated and unquantified) objective of the control.

Our industry needs a serious shake-up, but most of the paradigm shifts have nothing to do with technology. Technology is often the distraction, in fact…like a red laser to a cat. Who’s controlling the laser?

Don’t give in to the pressure to be profound and sophisticated. The things that will make the biggest positive impact to risk are not sexy. Things like patching and identity governance, yes—but also business basics like defining clear and measurable control objectives before investing in and deploying new controls. It’s time we held one another to a higher bar.