“Perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.” - Antoine de Exupery
In today’s world, it feels as if innovation has become the curse of many companies. It forces changes, and wheels being reinvented when not needed, out of fear that lack of innovation will be perceived as stagnation.
In addition, innovation for the sake of innovation can lead to security issues. These issues manifest predominantly in one of two ways:
Scope Creep The first is one of scope creep and the introduction of vulnerabilities through hurried and unplanned changes. For example, adding a new set of fields onto a web application at the last minute often results in an over-worked developer hastily cobbling together code to incorporate functionality. This can lead to inadequate testing and vulnerabilities being introduced.
But not all scope creep is rapid. Sometimes functionality is added slowly over time. What starts off life as a simple workflow ends up being a Frankenstein-esque corporate accounting, inventory, and pricing platform running the entire company.
The fundamental problem is that there is little linking of ideas from a brainstorm with reality. Often times things that are 'nice to have' are just that, only nice to have. There’s no need to invest in a shiny box that will add artificial intelligence to your security team, if you don't already have the basics mapped out.
Because we can The second issue which comes about from ‘innovation for the sake of innovation’ is the introduction of features not out of need, but rather because they are available.
The ever-increasing number of smart-devices are a good example of these. Just because it is possible to connect wirelessly to a kettle, a toaster, or a pillow, it doesn’t necessarily mean that it is a good idea.
In security teams, we often see this manifest in many ways. For example, keeping each and every log generated by every device is a good idea for investigations or to rebuild timelines. But is it really necessary for everything? Why not scope out and only store full logs for critical systems and strip away the noise.
Or why build a fraud detection system when the threat of fraud against your business is low.
The user experience Anytime there are new features or functionality added, user experience takes a hit. Even ‘good’ updates require users to learn new menu commands, alter their workflow, or simply having to retrain muscle memory to click on a different part of the screen.
But more so, it can disrupt the natural use of a product or technology. For example, an email client should be an email client. When it morphs into an all-singing-all-dancing CRM with context-aware reminders, and bluetooth enabled functionality, one wonders whether the product is actually an email client at all.
Security is not immune to these problems. Whether these be in-house scripts that evolve into a homegrown SOC, or enabling of additional capabilities - it adds unnecessary complexity and confusion.
The impact of such security changes is amplified when they impact the end user. Password reset policies, multi-factor authentication, phishing exercises, etc. all add to the mental workload of the users.
Technology, and by extension security, shouldn’t need to go through innovation for the sake of innovation. While arguments can be made for the progress such innovation brings, the risks often-times outweigh the pros.
Instead, I propose technology be put on an ‘Atkins diet’ of decluttering. While there are many intricacies to decluttering, they can be broken down into two broad steps:
- Simplify When looking at your IT security portfolio, ask yourself “what can go away?” Naturally this can be a scary prospect, why would one want to take away a security product. So maybe you can start by turning off excessive features and uninstalling bloatware. Don’t think of it like a purge, rather view it as renewed focus.
- Clarify Once the unnecessary parts have been stripped away, it’s time to organise. This includes sorting things out, creating network zones, segregating critical systems, and consolidating tools. Why use 5 different products, when one will suffice?
Now Innovate Wait, what? I thought this was about not innovating. I’m not anti-innovation, just the wrong kind of innovation. once your security portfolio has been simplified and clarified, it is the perfect time to see what true innovation can come about. Build the functions, and customisations that are right for your organisation and support your mission. As long as your mission doesn't involve sticking internet-connectivity to every device lying around the office.