As the saying goes, “amateurs talk tactics, armchair generals talk strategy but professionals talk logistics.” This could have been written for Security as a discipline. We may love the tactics, and we may get stuck in strategic conversations; but the truly successful security professionals understand the logistics of the security business. The temptation when approaching logistics is to make this a pure CapEx discussion and to only look into what tools are used in a modern defense, and therein lies the problem. The correct answer lies in optimizing the effect of people, process and tools together in defense — a combined arms for the good guys, if you will.
We’ve established that this is a Human-to-Human conflict and know that people are in our networks, and we’ve established that advanced threat technologies are are what give us a chance to avoid suffering when someone penetrates our network. But the vast majority of the spend in the average security department is determined by inertia: someone from finance turns up to model next year’s budget and says “…so I started with what you spent this year, because that won’t change too much, and then I’ve…” This is followed by a cut of 15% in a bad year or a modest bump that’s never enough in a good year. Frankly, if this is the first conversation around logistics, you’re in trouble.
This leads to a spending pyramid where the vast majority of spend is on checklist items from previous waves of regulations (got a SIEM? Check! Got an IDS? Check!) that we’ve established don’t work for stopping advanced threats. If you’re lucky, the little discretionary spend is free to try an experiment or two at the top of the pyramid, and frankly there’s far too little of that!
The smart CISO will engage early and often with Finance, and as high in the finance chain as possible, to drive an understanding of what’s really happening in IT. This isn’t trivial by any stretch because it requires the language and the discipline to get the metrics right for a department and to establish the goals of security to be aligned closely with the business. Frankly, for most companies, there is a massive mis-alignment between the core business and the security mandate. That alone could be (and will be) the subject of future blogs, but suffice to say that partnership with CFO (and CRO if there is one) are essential. The CISO should be able to ask the CFO to assign some wiz-bang negotiators to help put pressure on the commodities in the kit.
Something is a commodity when it is homogenous in quality (i.e. no differentiation) and available everywhere. When those conditions are true, price should rod at about 30% a year until prices bottom out around (but not necessarily at since commodities can make good loss leaders) a hair above cost to provide whatever good is in question. What this means is that most basic threat security products should be in a price freefall. They aren’t largely because of the way security budgets are determined, the perception of value from brand and the pressure of the vendor community to charge a premium for something that is a commodity.
A partnership with the CFO will get you access to purchasing people and, frankly, most CISOs need someone who lives and breathes negotiations on their side. When the next firewall, IDS or AV vendor turns up, they should see the unsmiling face of a purchasing agent starting at a 30% reduction in Maintenance and Support.
That’s how the pyramid above becomes a column, and that column becomes an inverted pyramid. And when that happens, you can begin to place bets on several strategies and technologies for tools that claim to be “advanced” in nature or able to change the game in defense.
And now we bring the people and processes back in. If this is a race between good guys and bad guys, the efficiency, fidelity and use models for tools matter. Where they sit and how they enable good guys to defend is crucial. This isn’t about a godbox or a MOAA (Mother Of All Appliances) that plugs in and solves everything — we know that.
We need to find the tools and techniques that will enable people to hunt better, chase items of higher relevance, shift and adapt to counter faster the moves and adaptations of attackers. That’s going to take a few technologies at the top of the pyramid, and it’s going to take an up-leveling of the notion of security, which we’ll cover in the next blog in the series, along with why a network (not perimeter!) based approach provides a new set of levers and options for finally getting ahead of them.
The post Logistics, Logistics, Logistics appeared first on Arbor Insights - Our People, Products and Perspective.