I love watching home improvement shows where some experts come in for a week, transform a space or a house and then the editors condense it all down to a 22 minute episode thick with product placement and commercials. It?s not so much the content of the show that fascinates me, it?s the process. A team of experts do in one week what seems unbelievable ? completely transform something from junker to jewel.
I see a lot of similarities between those shows and what we do in many Information Security projects. We?re asked to come in and, in a short amount of time, find and fix problems with an organization?s IT security program. But it?s a daunting task to do this in a corporate environment. In addition to the budget and timeline constraints that the fix-it shows have, in our industry you have to consider things like politics, change control, legacy systems, staffing, organizational capability, etc. The budgets are typically bigger, but so are the problems. And any solution you come up with will have to last a long time.
These fix-it shows often take short-cuts to get the job done. Often these short cuts are warranted, but sometimes they?re not. For example, let?s suppose the team is faced with a leaky roof and damaged wood and drywall. In most situations the team makes the decision to fix the surface problem as well as the underlying root cause. But in some shows they just want an immediate and cheap solution. These are usually the shows where they?re just trying to flip the house quickly. The hosts fix the surface problem but neglect, hide or provide a cheap patch for the more expensive root cause. If the problem recurs it is left to the future homebuyer. Usually in Information Security, as in house flipping, this cheap fix is not the right approach and leads to long-term disaster.
But sometimes this cheap fix approach is appropriate in Information Security. For example, how much effort do you want to put into fixing a system or process that is broken? Well that depends on the situation. Let?s take, for example, a server that is missing dozens of patches, is running an outdated operating system, is out of warranty and is not tied into the centralized identity and access management system. Now consider two different scenarios ? in one, the server is mission critical and must continue to serve the business for the foreseeable future; in another, the server is used infrequently and only required for retrieving historical data. In the first scenario, the savvy consultant will recommend upgrading system and network protections to safeguard against potential issues but with minimal impact to the business. In the second case, the right move may be to take the server off the network and require physical access to retrieve the historical data.
Going too far in the way of security is just as detrimental to the business as not going far enough. The best consultants are able to weigh the security and the business concerns through the lens of risk. And they get it right most of the time. Lesser information security professionals can range from good intentioned but suboptimal, to criminally negligent. Expertise, experience and knowledge of your particular business are key to making the optimal decisions. Though these consultants may seem more expensive on the surface, in the long run they can save you from putting the wrong kind of fix in place.
Both home improvement and InfoSec compare the individual to their peers. In home improvement, it?s common to look at other houses and find what, on average, makes them sell at a higher value. In InfoSec there is a similar technique we call ?best practice?. Most of the home improvement shows try to appeal to the broadest possible audience and take into account the latest trends. In information security this practice is not very wise because our goal is fundamentally different. We?re trying to solve a particular problem within the context that it exists and within the organization?s unique culture and constraints.
Blindly following ?best practice? just doesn?t make sense. The practice of identifying best practice is reductionist. That means you look at a lot of organizations and document the common things that they are doing in Information Security such as the specific types of people, process or technology and how they are used. But this tells us nothing about why those things are effective and how to integrate them into an individual organization or security program. A good security professional must consider each organization in light of the people, processes and technologies they are assessing and recommending. Too often organizations ask us to just apply best practice to them, or to just help them do what others in their industry are doing.
Let?s again go back to the home improvement industry to see why. ?Best practice? here would indicate that front porches, stone countertops, textured walls, bold paint choices, hardwood floors and tile floors will improve property value. Therefore the savvy home improver will look to use these elements in their remodel. But how and where to use them are not defined by best practice. So simply applying these practices without a good overall integration strategy will lead to some pretty horrific mistakes. And these best practices say nothing about the future trends or long-lasting trends. I should know ? my house is a Frankenstein?s monster of ?hot? elements that seemed awkward and dated when I bought it.
Let?s take a side-track to my personal story to illustrate the point. My house has nice old hardwoods in most of the house, and though the deep mahogany looks great, it makes the small space look smaller. I have tile in the dining room and kitchen, but the tile was a poor choice for the location ? the floors flex too much and the pattern is easily mistaken for food stains. The countertops and backsplash of my kitchen are terra cotta ? a textured stone that looks nice, but traps stains, germs and dirt and are hard to clean. My textured walls are too textured and the bold color choices look awkward in combination. So as you can see, blind application of best practice, without consideration of the existing properties of the space lead to disaster. Consequently, I bought my house well below market value to the consternation of the renovator who hoped to make big improvements without much effort or forethought.
Now let?s step back into the world of information security and see how the previous example applies. An information security organization that blindly applies best practice will end up with similar problems. Best practice says to patch everything as soon as possible. So what of the organization who patches everything as soon as the patches are available? They end up spending lots of resources to do the patching, causing extensive downtime, compatibility problems and extra work to validate all patches. And how much more secure will this real-time patching bring over, say a quarterly or semi-annual patch cycle, with occasional patching for the highest risk issues? Odds are not much. The additional risk of not patching immediately will be more than offset by the reduced costs and risks of the less frequent patching. Similar outcomes exist for blindly applying best practices in anti-virus, firewalls, adversarial testing (pentests, social engineering, etc.), governance, compliance and just about every other area you can think of.
Viewed in the context of risk, simply following best practice is a very haphazard way of going about things. A risk based approach is one which takes into account the various existing strengths and weaknesses and makes recommendations based on the priority of what reduces risk the most. In the home improvement world, this would be like bringing in someone to help figure out where to do improvements to increase value the most and sell the quickest. Smart homeowners who use these fixers often get more money than they spent, whereas those who simply try to match what everyone else is doing probably don?t.
The point is that information security cannot be done like a home improvement show. The consequences for getting it wrong stretch out far into the future and can have negative effects for the organization and staff. But through careful and practical application of expertise, experience and specific knowledge, any renovation project ? on your home or your information security program ? can be a success and add value.
- Beau Woods, Dell SecureWorks