Does Cyber Security Have An Operational Excellence Problem?
Generally, as any start-up matures, the people working in it go through a professionalization process. Silicon Valley may be home to companies where jeans and flip-flops are the norm, but Mark Zuckerberg, Steve Jobs, and Bill Gates are examples of how managing rapid growth and taking a company public leads to greater levels of financial and organizational maturity, as well as hierarchy that echoes the structure of traditional businesses. This is logical – it’s one thing to be operating out of your garage when you’re still trying to find investors for your disruptive idea; it’s another thing entirely once your company is worth millions, if not billions of dollars. Achieving a level of operational excellence allows startups to scale.
Yet, this evolutionary process is not universal. Enterprise security culture, in fact, is a prime example where operational excellence struggles to emerge, despite the fact that in today’s business climate, all companies depend and need operationally excellent security. Why hasn’t this growth occurred?
Following the RSA Conference last week, I had the opportunity to speak with Amit Yoran, the chairman and CEO of Tenable, a cybersecurity company focused on helping organizations understand and reduce their cyber risk. We discussed the reasons for the slow emergence of operational excellence in the security realm, and he offered up his theory for why this problem exists and some guidelines for how companies can overcome it.
Security is about processes
Quality security is not just about the strengths of the locks and other mechanisms that make up the anatomy of a cyber security solution. To complete the solution cyber security must also be about enforcing processes. Process discipline can be redundant and monotonous, but it’s how quality protection is implemented and solidified. Just look at the way the Secret Service or the military go about their security procedures – agents and soldiers are trained on how to do the same routines over and over to ensure safety.
Now think about the people who work in information security. They’re generally not people who have been successful by following orders and regimented schedules. As Yoran pointed out to me, “While a lot of security industry leaders have military or government backgrounds, many have risen through the ranks because they look at the world differently. They’ve thrived off of a creative mentality —the hacker mindset — not through disciplines that require and cultivate a skillset in operational excellence.”
It’s also about the rapid pace of change
Yoran also pointed out that it’s not just a mindset issue that causes the operational excellence problem. There’s also the fact that the technology landscape is so dynamic and ever-changing.
“Because technology is changing so rapidly, how organizations embrace and deploy technology is and must change just as fast,” he said. “And quite frankly, it’s hard to have operational excellence when you’re in a constant state of change and embracing new technologies.”
This is obvious, but profound all the same. Many companies and security professionals just don’t have the luxury of being able to thoroughly vet, understand, and then protect all the new technologies that are being adopted or used by their employees and clients. And that pace of adoption is only accelerating, leaving security professionals forever playing catchup, especially as more and more business systems migrate to the cloud, which while it can outsource some aspects of security, doesn’t provide a complete solution. This, mixed with the heroic hacker mindset of many in security, leads to the operational excellence problem in which people chase the shiniest threats rather than going through all the procedures needed to have high-end enterprise security.
My favorite example of this is the rise of attention about AI in security, which, in my opinion, will be of limited value in the short term, and must overcome some significant hurdles in the long term. Instead of considering the possibilities of AI, security professionals would do better to ensure that they had up-to-date backups of their entire environment and that restoring data was easy. This provides a huge, if boring, layer of protection.
Guidelines for operational excellence
So how do you overcome this problem and achieve operational excellence in your security? Yoran offered up a number of ideas that stem from Tenable’s business model and approach to this landscape.
- Start By Knowing Yourself: Yoran emphasized that companies have to engage in rigorous self-analysis to understand what operational excellence should look like for their security. “Without knowing where your exposures are and how they could be attacked, you’re incredibly vulnerable,” he said. Those are the very issues Tenable seeks to address, the foundational questions of many CIOs which are “in this new world order, what does my footprint of technologies look like, how are they vulnerable and how can I efficiently manage and mitigate risk?” Companies must engage in some sort of mapping of their technologies to gain this understanding – and that means not just your network, but your cloud, containers and your entire enterprise environment.
- Understand Your Blind Spot: Tenable offers companies the ability to map their tech landscapes and understand where they’re vulnerable. But as Yoran told me, what Tenable’s tools often reveal is that even the best companies only have visibility into 93 to 97 percent of their computing environment. The rest, as Yoran put it, “is dark matter.” Having tools that offer up a metrics based analysis of your systems and how they are complying with regulations and other requirements is essential so you can at least know what you don’t know. “So many people don’t understand that security is still your responsibility, even if you don’t know about an area where you have an issue. Your assets are your problem if they’re not secure,” Yoran said.
- Be Proactive, Not Responsive: Too many companies think of security from a response mindset – it’s the idea of attacking the problem once you know it’s there. But as Yoran shared with me, that has it backwards. “The best instant response capability in the world is a nonsensical waste of your money if you don’t understand your asset base and exposures,” he said. “You need to know what is critical, and what is not, and then implement proactive measures to protect those things so you’re not always solely playing defense once something goes wrong.” This is especially pertinent today when so many of the tools we all use, from thermostats, to webcams, to TVs, are a part of the IoT. These devices have more vulnerability than traditional ones because while the IoT brings with it advantages, it also brings a lot of risks from added exposure – every device become a hackable security issue.
- Focus On Low-Hanging Fruit: As I mentioned earlier, many security professionals come out of a mindset where they focus on reeling in the 40-pound bass rather than catching 20 ten-pound trout. “With compliance security best practices, there’s a lot of low-hanging fruit that is much easier to achieve and will provide greater value than reaching for the stars,” Yoran said. This means doing all the small things that are necessary to have quality security, from stepping up password security, to limiting access of employees, to devoting the maximum resources to the crown jewels.
My conversation with Yoran should serve as a jumping-off point for companies to recognize that they need operational excellence over their security. By getting the tedious and simple stuff right, you can do the more advanced stuff much better. Ignoring operational excellence only opens you up to avoidable risks. Process and routine might seem boring – but they’re essential to quality security.
The post Does Cyber Security Have An Operational Excellence Problem? appeared first on McAfee Blogs.