We spend a lot of time in the security industry complaining about stuff. Two of the top complaints that I see and hear are;
- Why do we still fail to consistently apply the ‘basics’ (even though they are far from basic (https://www.kevinfielder.co.uk/security/foundations-or-fundamentals-not-basics/ )
- Why do people keep investing in shiny new ‘silver bullets’ when they have not yet achieved the above…
It’s easy to blame ‘the industry’ and ‘security teams’ for this. However while this may be true, we also need to recognise that it is human nature at play.
As is often the case – the security industry isn’t as special or unique as we like to think. It’s likely to become a theme, but I see so many parallels between the health and fitness industry and the security industry.
One the one side you have human nature and the seemingly ever increasing number of people looking for the quick fix.
This is fed by an industry that thrives on selling the magic pills and powders to get you in shape with little or no effort. Or the 20 minute ab workouts etc.
The outcome for consumers is millions of people not happy with themselves and not getting healthy despite spending their hard earned cash and following the advice from magazines and influencers.
The outcome from an industry standpoint is huge profits selling supplements, workouts and health advice that is mostly bullsh*t, while raking in the profits and keeping customers on the merry-go-round.
This is made worse by huge amounts of ‘peer pressure’ from social media and advertising etc making people believe they are not good enough if they don’t achieve the carefully curated and sometimes outright fake imagery in adverts and on social media.
In reality the solution is simple, but not easy. It you want to be fit, healthy and resilient, eat well, do the fitness… Consistently. Every week, every year.
Contrast this with the security industry.
On the consumer side we want immediate and easy results so are tempted by the latest shiny advertising stating how solution X will solve our problems. Our jobs are hard so it’s understandable people can be tempted by promises of an easy solution to securing our organisations.
On the industry side we have so many companies trying to sell the dream. Whether this be with products that frankly don’t work properly, or by completely mis-selling things that may be good once you have a high level of maturity, but are next to useless if deployed before all your fundamental security is in order.
We also have to realise that for most companies selling ‘security’, as with the fitness industry, they never want us to be ‘done’ or ‘satisfied’ as they need us to keep jumping on the next product bandwagon or the next Gartner magic quadrant.
This is again made worse by ‘peer pressure’ either from satisfied customers telling us how the solution fixed their issues, or from our own exec teams asking why we have not deployed solution X after they saw an advert in the FT or economist. That’s right, security firms are not adverse to advertising their solution to non security folk in the hope that will apply more pressure to security teams.
Again, as with your own health and fitness, the solution is relatively simple, but not at all easy.
Work with your teams and wider organisation to build foundational security. Do this consistently, with rigour day after day, year after year. This will get your organisation into a great place. Then if you want to, and your risk appetite requires it you can assess the shiny ‘advanced’ security magic to layer on top of your solid foundations.
So next time you’re tempted by a shiny new amazing security solution, don’t beat yourself up. But try to stay the course – assess what your organisation needs and ruthlessly focus on the fundamental / foundational security you need.