Scene 1: 

At one time in another “life,” I was hiring developers for a commercial product. We had a candidate who was sharp, if a bit quirky, and, with the agreement of my team, I took the recommendation to my manager (who had interviewed the candidate). His reaction? “Do you really want to hire someone who will sit in the corner playing with shiny objects?” He respected my choice, and we hired the candidate. My boss proved to be right.

Scene 2: 

Roll forward to current times. A client subscribed to a major cloud access security broker (CASB), a service that allows one to set up rules or monitor connections among your cloud and on-premises applications with the intent of limiting inappropriate access and preventing data loss. The security analyst who led the acquisition and operation of the CASB kept promoting detection and blocking rules for a variety of potentially malicious (or at least inappropriate) use cases.

On review by IT management, many were rejected because (1) they were too onerous for the user community, smacking of “big brother, (2) they were almost guaranteed to generate huge numbers of false positives, and (3) they did not assure risk reduction of any substance. Essentially, he wanted to implement many of these rules because he could, not because he should. Today, I doubt the client is using more than 5% of the capability; it is not worth the (significant) cost. The whole exercise was cloaked in “security’ – another example of playing with shiny objects.

Scene 3: 

At a recent conference, about which I’ve commented (insert linked in the post), I was taken by the number of speakers who promoted process and people over technology, in spite of the fact that several of the speakers represented vendors in booths next door, in the room that was dedicated to shiny objects. As I stated in the post, I wholeheartedly agree, but then again, I’m a “process guy.” I firmly believe that technology must be implemented within a well-thought-out process if you expect the technology to do anything useful.

The Broader View: Effective Technology is Critical to Your Success

Consider some of the key practices needed to implement a mature security practice – risk management, vulnerability and patch management, major incident response, change management, identity, and access management…I could go on. You should recognize most of these as largely process-driven. Admittedly, these are rather boring. Defense and detection get our juices flowing and just beg for strong technology. But focusing on technology and buying lots of tools leaves you with two questions: “Who’s going to run all that, and who’s going to synthesize an accurate picture of an unfolding attack when all the screens start flashing?’

Effective technology is critical to your success in defending your technology assets. But if you don’t have surrounding processes your security analysts have tested with success, technology will just add noise and will stretch your staff. With the absence of good processes, implementing technology is just playing with a bunch of shiny objects.

If you’re interested in discussing coherent processes for embedding and integrating technical tools, contact Newbridge Cyber & Risk.