Elegance and Security Transformation

When I look back, I am always a little surprised how much I transform the organizations where I work.

I swear I don’t come in with pre-conceived intentions – I just tend to ask if “the why” and “the how” we do things still makes sense or are well positioned to support the organization’s strategies.  I mean it is no secret I think momentum is the enemy – but change for change’s sake has no value to me either.

Yet, it seems I end up being a change agent, and throughout this phase of my career I had this sort of foundational core principle guiding my transformation projects:

It can’t suck.

The full security benefits of a transformation program may not perceivable to the general staff, but those touchpoints better be refined.  This does NOT mean porous or overly permissive – it means that the imposed restrictions facilitate authorized access with elegance – while making unauthorized access really difficult.

So how do you do that?  Well – here on some things I keep in mind.

The eye eats first

Here is some news – a block page can look good.  This is likely the most common interaction your staff will have with your security services – treat it that way – not as an afterthought.  Exclamation points are not always needed.  Your corporate branding guidelines are probably accessible to you and you should use them.

Scaring or admonishing an end user who has no malicious intent is counterproductive – especially since false positives are not uncommon.

We don’t want to create a shadow IT army out there when we block legitimate activity – inviting them to help us refine our tools is better than them figuring out how to get around them.

They are NOT partners – we are on the same team

We have enough adversaries.  Our end users are not just partners – we are on the same team – and we should treat them accordingly.  Respect their intelligence and intentions when they have a legitimate business interest in their actions.  Redirect if needed – facilitate if safe and approved.

How do you do it?  Well, check out my thoughts on Entitlement Based Policies.  Why everyone still does this wrong drives me crazy.

But at the core – it means understanding the services consumed by the organization – and creating a policy structure not tied to a rigid organization chart – but to the organic needs of the business.   I call it security micro-services architecture.

Legacy isn’t a bad word – Momentum is

There is no lack of buzzy names in our new security stack.  If you brought stock in every partner we implemented just before their IPOs – you would be doing pretty well (I would never do this – it feels unethical – but darn it).  But we also have some blue-chip foundational partners.  There is no shame in sticking with an “legacy” solution that is effective and can facilitate your business strategies.

The trick is recognizing when momentum, risk avoidance and fear of failure are keeping you on your legacy platforms.

While I really try not to use militaristic language common in cybersecurity – it hard not to draw the parallel between a CISO and a military general.  Neither rashness nor cowardness are likely to lead to successful outcomes for either.

In fact, it is important to remember that elegance is nimble – but strong and controlled as well.  These are virtues we should have throughout our security stack – and core to a security transformation project.