I’ve always been a fan of Groucho Marx. I find his humor, along with his quotes, witty and entertaining. One of my favorite Groucho Marx quotes is: “Those are my principles, and if you don’t like them…well, I have others.”
Although the humor in this quote is obvious, the security lesson we can learn from it might not be at first glance. I think it is worth delving into, however, as we can take some wisdom from it that we can use in the security field. The lesson is one of applying consistent security policy.
As security professionals know, over the last 10-15 years, the complexity of the average enterprise’s infrastructure has exploded. As multiple different cloud environments have come online, multiple different technology stacks have been implemented in each environment in many cases. Each one of these technology stacks requires knowledge, expertise, and resources to operate and maintain. Never mind the efforts required to extract value from them for the benefit of the security program. As you can imagine, this has created exponential growth in complexity.
While this new reality creates many challenges, there is one challenge in particular that I see enterprises wrestling with nearly universally. Making a change across the modern enterprise is now no longer a relatively simple task. Updating a rule, deploying a new signature, modifying a control, and many other tasks that used to be fairly straightforward in the world of on-premises environments have become logistical nightmares. In many cases, entire teams are dedicated to these activities and are desperately trying to keep up, at the expense of other important security functions.
When it comes to security policy, the pain is particularly acute. The greatest security policies in the world are useless if enterprises don’t have a reasonable, consistent, and reliable way to implement them. Of course, applying policies selectively merely due to complexity should not be acceptable to the security team. There has to be a better way – a way to consistently implement security policies universally, regardless of how complex the infrastructure is.
Indeed, the new class of solutions dedicated to simplifying complexity in hybrid and multi-cloud environments gives hope that there is a better way. What are some of the benefits of going this route to facilitate consistent security policies? While there are many benefits, here are five strategic ones that I believe it is helpful to understand:
Reduced human error: Humans have many advantages over machines, namely humor and emotion. Yet, when it comes to repetitive tasks, machines are far superior. When humans are the means by which security policies are managed across multiple different environments, they are bound to err, no matter how careful and diligent they are. This introduces vulnerability and weakness, which lower the overall security posture of the enterprise.
Reduced exposure: Human error, shadow infrastructure, inconsistent policies, and other factors increase an enterprise’s exposure. The greater the exposure, the lower the overall security posture, and the greater the potential for a serious incident that may cause grave damage to the enterprise. While there are many elements required to reduce exposure, consistent security policies play a critical role in this endeavor.
Improved allocation of resources: Security team members who spend their days managing tedious, repetitive tasks can be better leveraged elsewhere. Not only does this bring added value to the enterprise, it also keeps employees happier in their jobs. For as much as security leaders emphasize the challenge in recruiting and retaining qualified employees, having more interesting, challenging, and exciting tasks for those employees would seem to help with both. Not to mention the benefits that better using human resources brings to the enterprise and how it contributes to improving the overall security posture.
Better reporting and metrics: One of the major benefits of simplifying complexity in hybrid and multi-cloud environments in an effort to achieve consistent security policies is increased visibility into the infrastructure. This improved visibility produces valuable telemetry data that can be used for a variety of purposes, such as continuous security monitoring, compliance, improving policies, and others. Accurate, complete, and reliable telemetry data is also great for reporting and metrics. It allows for various analyses to be performed on ground truth data, rather than leaving them up to conjecture or theory.
Better risk assessment: Risk remains at the center of the security profession. Risk assessment is an important focus for security teams and their leaders, as it is one of the primary means through which goals can be strategically prioritized. Risk assessment involves many components, including accurate and complete visibility into the environment, no matter how complex it is. Aside from facilitating consistent security policies, simplifying complexity in hybrid and multi-cloud environments facilitates the ongoing risk assessment that guides and informs those policies.
There is nothing wrong with having steadfast principles and consistent security policies – in fact, both are honorable. Of course, this lesson extends far beyond the security profession. For example, if you are outraged when one group experiences discrimination but are silent or even work to justify/encourage discrimination when a different group experiences it, you are making Grouch Marx’s point. Groucho made that point humorously, of course, and we can learn a lot from it.
