I’ve learned a ton of lessons over my years in the InfoSec world. I’ve made a lot of the right calls, but also a bunch of wrong ones. One of the lessons I have learned is how to operate in an environment of scarcity. This lesson started long before my career did. Growing up, I was the child of a single mom who waited tables to make ends meet. I never had everything I wanted, but I always had the things I absolutely needed. My lesson continued in the United States Marine Corps. We got hand-me-down gear and were slow to adopt new technology. I ate an MRE that was made in 1984. We had a .50 cal in our armory that was built in 1945. This was the mid 90s. I learned very quickly you don’t need everything in an armory to accomplish a mission. As Donald Rumsfield said:
“You go to war with the army you have, not the army you might want or wish to have at a later time.”
Other than the Coast Guard, the Marines do more with less than anyone. We learn to improvise, overcome and adapt to an ever changing battlefield. We have to continually shift tactics based on what the adversary is doing and what the rules of engagement are. Sound familiar?
Over my career the same as held true in cyber security. I’ve started programs where the only security line items were firewalls and antivirus. I’ve had to lead through this challenge numerous times and so have most of my peers. We never get all the things we need. Some of us are able to drive success given constraints while other programs fail to achieve results. Why?
I have worked enough jobs for long enough to know that, most of the time, you don’t get more resources—often you’re capped around six. The “work” doesn’t change. We still have to be compliant. We still have to patch. We still have to respond to alerts. We still have to enable the business. We still have to make changes and move forward.
So how does one who leads these types of programs still make progress and achieve objectives while under these resource and fiscal constraints?
There are programs that still move forward and achieve their objectives. In InfoSec the answer is never as easy as everyone makes it out to—be but there is a path to success. My core belief in overcoming, adapting and improvising has served me greatly over the years. I hope by sharing some of the lessons I and others have learned, we can drive a conversation to help each other as a community be successful in overcoming the obstacles we face.
Choose what you are going to be good at.
Figure out what is the best use of your time. Every new thing requires care and feeding. Where is time best spent for you and for your teams? It’s impossible to be good at everything but you get to choose strategically what to excel at.
Partner where you can to leapfrog maturity and lower overall cost.
This model will help to serve the continuity of the program, as well. Having an MDR or an MSSP can help to provide visibility and maturity across areas of your program. This can also provide huge value early on while you build out your own competencies.
Find a trusted advisor(s).
These may be external partners you pay or long time infosec peers. Whatever the case, talk to them. See if they have already solved some problems you may be facing.
Shared POCs and bake offs.
Find similar programs with similar needs and share the time and resources of a POC or bake off. This will help keep the time and cost down, but also get your team closer to members of other programs dealing with similar issues. Decide on criteria and outcomes you want to see upfront and discuss as a team. This won’t work in all cases but it can help. This will also help facilitate threat intelligence sharing—if the same technology is deployed in similar environments—as multiple teams will be working off the same platform.
Be a member of your local round table.
CISO roundtables exist. Participate and share wisdom knowledge and information. This will also help in making technology decisions. Be part of the community. There are too many benefits to list—but this is an invaluable resource.
Embrace Open Source.
You will have to strategically pick your investment battles. Open sourced and home grown is awesome, but you will need to recruit the right team if this is part of your strategy. This can save money but will require dedicating team time to maintaining and troubleshooting.
Embrace the cloud.
This will save you money and help allign spends to OpEx versus CapEx. You can leapfrog controls and ease the pain of management, saving your team time. We should learn from our CIO peers here.
Define the defensible positions and put effective controls there.
You won’t be able to spend money everywhere. What’s the most important things to protect? What are the most effective controls to stop the most attacks? Spend your money and time there. Have a defensible position for when other controls breakdown.
Be clear about most likely risks.
Engaging with peers, vendors and law enforcement can help here. What are the most likely things that will happen? Focusing on those will help minimize distractions and ensure spends are aligned with your team’s time to combat the most important risks. Sure the latest apple remote execution POC might be really cool, but do you even have Macs in your environment? Why waste time on things you don’t need to be concerned with?
Be clear about focusing on those.
Simply put, sometimes you have to be ok with 80% coverage and move on.
Only buy solutions that integrate.
You can’t afford to not get maximum value from an investment. You need an effective stack that works together—not a one off product that requires lots of care and feeding. Your defenses should work collectively to drive outcomes. Having five core products that provide amazing value, instead of twenty that provide ok value, needs to be embraced more with this level of constraint.
See above. Make use of continuous assessment tools to keep testing, technology and compliance costs at a minimum.
Sometimes you are going to have to make hard choices. Of course you want to have all the things you need. It weighs heavily on most of us. That being said, you really do have to get crafty. Get other system owners to actually own the risk and provide work on behalf of the cause of security. Use solutions that integrate with IT operations or makes IT operations easier. Get the teams to work together. Security can provide value back to lots of other functions. Focus most of your education budget on high risk individuals—not on everyone. Yes everyone needs training, but you don’t need to spend the majority of your time and budget here. Spend it with the 5% of people who can actually truly cause harm to your organization if a breach occurred to their systems.
Get others to budget for infosec things (this also helps prevent a giant budget cut when someone just looks at a spreadsheet).
Bury the cost of security with the business and technical owners of the system. Should you own a dynamic testing analysis tool for code checks, or should your engineering or dev department?
Make sure you have a function in a mature state before adding new things.
Your team is small. It will need time to operationalize a new solution. Take this time to operationalize a new technology before you add another.
I also wrote this blog on how to keep infosec clarity.
These are all things that I’ve learned over my years as a security professional, but I’m always looking to learn and grow—so I’ll leave you with this final question: How do you do more with less?