Like many kids, I hated mowing the lawn. Also like many kids, I was the go-to guy for lots of family landscaping. The worst lawn to mow of all my relatives was my grandmother’s: It was big, it was weedy and rocky, and (if you can believe it) she still had a push-mower.
But the strangest part of mowing her lawn was the neighbor down the street. This guy mowed like it was going out of style — three times a week at least. But the strangest part wasn’t how often he mowed — it was that he didn’t have any grass. His yard was bald as a pitcher’s mound.
At the time, I just couldn’t get my head around why he would choose to mow in the first place — after all, what’s the point when there’s no grass? At best, it was wasteful and unnecessary — he could be inside watching the ball game instead of being out in the sun. At worst, his mowing was counterproductive — trampling new grass shoots, packing the earth, and blowing away topsoil.
It just didn’t make any sense. Was he crazy? Addicted to the smell of gasoline exhaust? Some kind of lawn-killing psychopath? What exactly was this guy’s problem? To a kid, the whole thing seemed pretty ominous.
Later in life, I came to realize why it bothered me so much. The issue was that he and I viewed mowing in a fundamentally different way. For me, I saw mowing as a solution to a problem. Short grass was the desired state, long grass represented a situation that was less than ideal. The mower was the solution — a way to get from the undesirable state of “long grass” to the desired outcome of “short grass.”
For the neighbor, mowing wasn’t a solution to anything. Instead, it was reflex. Maybe he mowed because it was his routine, maybe he really was crazy, or maybe he just mowed because he liked to. It doesn’t really matter why he did it — the point is that he did it without awareness of the underlying rationale. In other words, for him the decision to mow or not to mow had nothing at all to do with the grass — it had to do with something else.
What Issue Are You Trying to Solve?
Now you’re probably wondering what any of this has to do with security and IT. But I bring it up because it was the best metaphor that I could come up with for what I see organizations doing on a day-to-day basis all throughout the industry — specifically around the controls they deploy related to their information security.
In our organizations, controls make up a pretty large share of our jobs. We have technical controls in the form of hardware and software products, we have manual controls, physical controls, procedural controls — we have compliance programs to make sure the controls line up with what other people say we should have, and we have audits to make sure that the controls we deploy work as intended. More and more, information security is all about the controls.
But how did we select which controls to implement? Did we pick them in response to a studied analysis of the underlying problem they solve, or did we unthinkingly deploy them as a reflex response to some stimulus: Maybe a security incident that happened to us that hurt us financially, maybe we read about a well-publicized problem that some other company had, maybe a regulation said we should have the control, or maybe the salesperson told a good story. In other words, did we buy it because we knew we needed it? Or did we buy it for some other reason?
It turns out that for many of us, it’s the second one. In practice, most of us aren’t buying using on a systematic approach based on what we need (our risk) and instead picking controls based on other criteria. We often forego the (admittedly time-consuming) process of measuring and prioritizing our risk, analyzing it to find out where we need to invest, and measuring to see how that risk is reduced based on our actions. Risk analysis, as it turns out, is pretty rare.
Why Risk Matters
Systematic observation and prioritization of risk areas (risk analysis) and systematic selection of mitigation strategies based on that level of risk (risk treatment) — is not usually the driver for what security controls organizations select. There’s often a perception that risk analysis is too expensive, too time consuming, too burdensome, too much a draw on their staff to be useful.
And it’s true that in some situations, it doesn’t really matter all that much — at least not in a good economy. When we have ample funding (or at least not “barebones” funding), we can cast a wide net when it comes to control selection, and we can deploy a wide swath of technology to address issues that the organization could have — that the organization probably has. After all, more controls can’t hurt (at least, not usually).
But in a bad economy, we’re probably not going to have the funding levels that we need, and we’re going to have to make some hard choices about what to fund and what to scale back on. In that situation, selection of controls based on anything other than risk is less efficient than it could be.
Going back to the example of mowing the grass for a second — say, for the sake of making the point, we were asked to mow our neighbor’s grass while they’re on vacation. Say also that we couldn’t see their yard from our house, and that we need to drive down the road to tell how long it is. If we don’t care how much gas we use, we could just mow once a week. Or, if we didn’t feel like mowing, we could drive over, check how long the grass is, and leave if it doesn’t warrant a mow. But if we want to minimize the amount of gas we use, both options are wasteful — mowing on a schedule (if it needs it or not) uses gas, driving to check on it uses gas. To avoid the waste, we need a way to tell how long the grass is so we can determine the optimal time to go.
With security controls, it’s the same thing: Each control costs money, and we have less money overall to spend on controls when times are tight. Therefore, the less money we have, the more important it becomes to make sure that the controls we have actually address a problem that the organization has — not just issues we think we could have.
In fact, the time to conduct a risk analysis is when times are most tight — not when we’re flush. Analyzing risk means finding out where and what our biggest issues are — the next step, using that information to decide what to fund and where to scrimp — that’s the payoff. So if you’re wondering how you can save your company money in the security space, think about risk and how you can measure it. It might require some investment up front, but if you do it right, you’ll get that investment back in spades.
Ed Moyle is currently a manager with CTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.