How to avoid shelfware
Two years ago, I found myself bewildered by the size and scale of the RSA Conference expo halls (yep, I’m using the plural because, if you haven’t been to RSA Conference in a while, there are now two expo halls). In fact, at one point I even declared to the internet that I felt we’d reached “peak RSA,” and that industry consolidation would shrink the show floor the next year.
I was wrong.
The security industry is awash in new hotness and buzzwords. Last year, RSA Conference had 550+ exhibitors adorning its expo halls. Each year brings a few new “must have” technologies. Over the years we’ve seen the explosion of threat intelligence, orchestration, and endpoint detection and response (EDR) vendors, to name just a few. For the most part, these technologies solve real problems. But they’re not always problems every organization has. You’d think that purchases would line up with problems or close gaps. The reality is that buying products is easy. It’s operating them – and ensuring you get value out of them – that’s the hard part.
It’s too easy to get seduced by the infosec hype cycle. There’s a common fallacy that occurs when companies buy new security tech: if everyone is talking about that brand new thing and many of your peers are buying that brand new thing then you must be missing something if you don’t buy the brand new thing. And you definitely don’t want to miss something, because when you do, bad things happen and your company ends up on the front page of the newspaper. This type of thinking leads to a lot of security technology purchases that companies don’t really need. As a result, there isn’t a clear plan on how to operate and maintain it. You end up focusing on the wrong things and burning precious resources on a shiny new gadget instead of addressing more strategic needs that reduce risk.
And then there’s the worst scenario of all: you bought a really great product, and it’s actually finding things. But because you didn’t have the resources to operate it, nobody was paying attention… and you got compromised… only to find out later that the signs of the incident were there all along if only someone had looked. That never plays well in the headlines or with lawyers.
The good news is there’s a set of questions that you can ask yourself before you purchase new security products that can set you up for success. Let’s dig into them.
1. What’s the problem that I’m trying to solve?
It may seem like a simple and unnecessary question to ask, but asking this question and being thoughtful about the answer can save a lot of pain down the road. For example, if you’re trying to reduce the time that it takes for your team to investigate a security incident, and it’s taking you 24 hours just to acquire suspicious files from machines, an EDR solution could absolutely help you close that gap and reduce your investigation time.
On the other hand, if you’re afraid you’re missing bad things and you’re solving it with a new EDR solution (but without thinking about how your team is actually going to use it to find more bad things (not to mention the increased workload that goes with it)), then it may be time to put that purchase on hold.
2. Is my team ready for this technology?
All too often, purchasing and installing new technology is seen as “the hard part.” While some tech may be really difficult to get up and running, the hard part is operating it in a way that delivers value, and continuing to operate that technology once everyone is bored with it and it’s no longer shiny and new. You need to understand – as well as you can – the problem that technology is supposed to solve (see above). Also, someone needs to be accountable for its success. That includes defining what success looks like and how it’s going to be measured. People (with actual names) need to be assigned to operate and manage it. Finally, you need to make sure that you have a plan to integrate the new technology into your team’s processes and workflows. If the new tech sits off to the side and isn’t fully integrated into your team’s daily life, it’s well on its way to becoming shelfware.
3. How am I going to defeat tribal knowledge?
Tell me if you’ve seen this before? You implement a new technology. And there are one or two people on your team that are “the experts” with that tech. They’re the ones that know its ins and outs. And so everyone looks to them when something goes wrong. You need a plan to uplevel the rest of your team so that they’re all experts with that new technology. That way, when one of your first-gen experts leaves, there’s no dip in the team’s ability to use the tech.
This means making sure some fairly mundane things are in good order: knowledge capture and documentation, training for the rest of the team, exercises to make sure the technology is doing what you want it to and that the team truly knows how to use it, re-training over time, documentation updates as it changes, documentation updates as your organization changes… Yeah, managing security technology is hard. Frequently the hard parts are the boring stuff no one wants to spend their time on. Sing along if you’ve heard this tune before.
4. What’s my long-term plan for keeping this technology running smoothly?
Often, organizations implement new technology, claim victory and move on. They neglect the caring and feeding required to continue operating well and providing value. You’ll need a plan. How are you going to manage its upgrade lifecycle? Are there any shifts coming in your organization that will require the tech to adapt? If so, do you have a plan?
Another part of long-term planning (that almost no one thinks about) is when you’re going to scale back or turn off a piece of technology entirely. For any security control, you need to know when you’ve achieved your goal. That will also tell you when you’ve reached diminishing returns. It’s important to think about how and when you’ll need to scale back and ultimately retire the tech.
With all this in mind, go take a fresh look at your security initiatives over the next 12-18 months. In particular, look at those which involve purchasing and implementing new technology. Ask yourself whether you really have the problem that technology solves. Is your team is ready for it? If so, how are you going to deal with it in the years to come? If you have great answers that make you feel confident, go forth and conquer (errr buy). If not, don’t be surprised if you end up with an investment that doesn’t provide much return to the organization. While that doesn’t sound ideal, the other (and more troubling) consequence of a bad purchase is that it could actually prevent you from buying something that could truly put you in a better place. Ask these questions and you’ll find that you’re spending your time focused on the tools that really matter and bring value.