RJS Lean Security: The Smarter Way
There’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works. Follow these principles when building your lean security strategy.
The idea of perfect security is a trap.
Unlike you, attackers are not limited by resources, budgets, laws or ethics. They can launch any number of attacks anytime, from anywhere. This means you have to maintain a strategic balance between defense and response.
Since perfect security isn’t possible, embrace the 80x5 rule. Instead of investing your resources in a single layer of nearly perfect defense, create five slightly imperfect layers that address all threat vectors an attacker may look to exploit. An attacker is often looking to take the path of least resistance, so an organization with one wall of defense looks a lot more appealing than a company with a blockade of five walls.
Always stay a move ahead of your opponent.
If you are constantly focused on reacting, you are not taking the time to learn and adjust your security strategy based on your experiences. Your attackers are constantly evolving, so you must, too … just a little faster.
By enhancing operational efficiency, you keep attackers in check. Embracing best practices, studying your opponent and measuring the effectiveness of your security efforts are imperative in this game of chess. When you find something that works, keep doing it and constantly adjust the process so you evolve quicker than those looking to harm you. Focus on learning, instead of just prevention, and you will improve all aspects of your security program.
Make better use of what you already have.
Before you invest in yet another expensive security project, fine-tune the security technology and processes you have in place. Are your defense systems fully-patched? Have you turned on all the necessary features that came with your original product?
With no cost necessary, optimize your security environment with the products you currently own. Rid yourself of unused legacy systems, explore open source solutions and adjust your current lines of defense. By using what you have and improving internal operations, your organization can mature to a point where your next product purchase fills the few remaining holes your current defenses don’t quite reach.
The right security strategy for right now.
The days of defining and executing a rigid multi-year security plan are over. Since attackers are incentivized for rapid change, you must also adapt to the always-evolving threat landscape. An inflexible security plan will create holes quicker than you can fill them.
Instead, you must operate with transparency and agility. Be transparent by engaging your entire operational staff with education that teaches them how to best protect your assets. Be agile by remaining open and willing to alter strategy quickly when needed. Determine what you need to do today, what you ought to do tomorrow and what would be nice to achieve next year. And don’t overlook the simpler and smaller projects during those cycles. They are cheaper and often more effective because you can actually get them done.
Part of your team, not instead of your team.
Without a highly-skilled and experienced staff of security experts, it is extremely difficult to remain unscathed from the many possible attacks waged against your organization each day. Thus, it is sometimes necessary to leverage the knowledge of others.
When soliciting outside advice, look for a consultant who is willing to help you learn. While a good consultant puts out a fire, a better consultant helps you put out the fire and finds ways to stop new fires from starting. Too many companies enlist the assistance of outside consultants, let them fix their problems and then completely forget about them. Without tackling problems together, you lose the opportunity to share knowledge and experience. A consultant should always be viewed as an extension of your team, not an outsider.
A smart investment for smart growth.
Once your internal operations are working well and you are effectively using what you have, it's time to grow. But before you purchase another layer of protection, first identify what really matters to your business and create goals you can measure to see if your next project will indeed be a success.
Begin by running tests with free trials and open source technologies to ensure the next project accelerates response time and improves your team’s learning speed. Plan, but plan lightly to avoid analysis paralysis. Once you clearly understand the problem and the technology that can alleviate your concerns, invest smartly.