You Don’t Scale

The more that information security incidents are in the news, the more often we hear that there aren’t enough people to do all of the work necessary to batten down the hatches against everyone who’d like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it’s not uncommon to hear this refrain in business circles as well.

If these folks are as difficult to find, hire, and retain as we’re told, then we only have a few choices:

  • Train them internally;
  • Automate as many security processes as possible;
  • Do things to make the people you have more effective

Most people choose door #2 as a way to get what’s behind door #3.

There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn’t something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over.  You may have the best internal security people in the world, or the best  world-renowned consultants, but the bottom line is that humans don’t scale particularly well.

This is true whether you’re the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.

If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.

There has yet to exist a security product that solved all of the world’s (or even one enterprise’s) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:

  • They allow less-senior people to do some work that used to be the province of a few
  • They help people to make better sense of information they (usually) already had somewhere
  • They help less-technical users to avoid inadvertently hurting themselves
  • They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*

*This is where the most value is created, but it’s also the most difficult.

If you’ve gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that’s called a market opportunity.

2 thoughts on “You Don’t Scale

  1. I agree with you that automation of security processes would be ideal where it can be implemented, but you are forgetting to mention (perhaps intentionally) that in order to truly assess the products in which to invest, you need someone who is already security minded. That can be done through a consultant if needed, but then you run into the heavy investment of time to setup said product. Then add in tuning of the product, maintenance, etc. The truth is, most security products are still heavily operated by someone pushing the buttons to make it go. There are some products which are set and forget, but they are few and far between.

    • Thanks for the comment. If anything, I believe I advanced the case that our entire sector is labor-intensive, which was certainly one impetus for the post.

      It’s almost axiomatic that deployment of most enterprise security products involves effort, often by people with specialized skills. That doesn’t mean that it’s impossible at times to offload previously manual workflows, in whole or in part. No one is asserting that automated code reviews are identical to what a human does, for example, but I’d argue that the blade cuts both ways. At least a code scanning package doesn’t get tired or have a bad day.

      Discussions of automation often get sidetracked by the same all-or-nothing mentality that has so poorly served the security community for the better part of 15 years. Sometimes a little goes a long way in helping to make people more effective.

      Set-and-forget isn’t the only mode in which automation can operate, but it’s nice when we can get it. It is important not to lose the vision of how we’d like things to be even as we try to survive the daily onslaught.

      The goal of this post is to reach that legion of security professionals who are building things with a novel approach to security, but who, for whatever reason, haven’t made the connection that they may have solved a problem for a larger population than simply themselves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s