If you’re still on the positive side of the cost/benefit analysis, here’s what you should do today about all these outages: nothing.
Smart leaders don’t react, they respond. They don’t chase pendulum swings. There’s a lot of them at the moment—every time there’s a widespread security event (log4j), an operational event (Crowdstrike/Azure outages), or a strategic shift (AI), the airwaves are filled with reactionary FUD. Don’t bite.
It’s been interesting to observe the diversity of opinion about what to do next. If you believe that addressing “concentration risk” means buying, feeding, and watering 3 different EDR tools or cloud platforms, you have probably never had a job in operational IT/security.
A history lesson might be in order. The whole reason the industry started consolidating tools/platforms to begin with is because we had dozens of overlapping tools and services, unsustainable complexity, and reduced availability, performance, and effectiveness as a consequence. We should not be waxing poetic about the world we left behind, and we for sure should not be following the reactionists backwards towards a demonstrably worse risk position—however consequential the media/LinkedIn FUD might seem on the surface.
Principles to live by:
- There are no solutions in security, there are only trade-offs.
- That means you have to decide which problem you’d rather have.
- Risk is not a problem to solve, it is a tension to manage.
- There is no world where this is not true, no matter what the pundits or the politicians say, or how the pendulum swings.
- Trust your data. If you don’t have the data, that is a bigger problem than the problem itself.