Photo Credit: Hagmans foto via Compfight cc
One day a Silkworm was working on a royal cloak: her neighbor, the Spider, was quickly weaving her web, and looked down with contempt on the slow, although beautiful, labors of the Silkworm. “What do you think of my web, my lady?” she said; “See how large, fine and transparent it is. I began it only this morning and here it is half finished. See and acknowledge that I work much faster than you.” “Yes,” said the Silkworm, “but your labors are crafted only as traps, destroyed as soon as they are seen, and swept away as dirt – worse than useless; while mine are preserved with the greatest care and in time become clothes for princes.”
The Moral of the Story: It’s not how much, but how well.
Firewalls, switches, routing, event logging and SIEM, 2FA, redundancies, backups and restores, NIST compliance – this is just a partial list of the ways one can protect information, prevent attacks, and prepare for leaks. But can you really manage it all?
On paper, things look really, really good. “We’ll have things backed up 3 ways, with restores ready any moment; auditors pleased every step of the way; observing the tech industry best practices so that others who follow will know what we did; in sync with ITIL; compliant with COBIT; adhering to the federal, state, and local governments regulations; meeting the regulations of Sarbanes-Oxley; consenting to PCI DSS standards.”
But then reality hits – in the end these will cost thousands upon thousands of dollars, and dozens or even hundreds of work-hours. And for what? In general, a ream of paper and a certificate. It’s nice, even necessary, to have a framework, a structure, and professional documents on hand, but we’ve all seen it in our company and/or some other organization – because of the encumbrance of day-to-day business, the lofty goals of ALL of these are just simply impossible.
You and your employees have limited time in the office, and the demands of too many duties are simply unsustainable. Just getting through the normal day can be taxing enough. If one adds in more paperwork for each instance, more emails re: incidents, more communiqués about plans, and more meetings about departmental goals – the real business of transacting business suffers.
The business and compliance pendulum will naturally swing away from compliance and go back to business – it’s great to be uber-compliant, but it’s vital to serve the customer. After all, in addition to having limited people and time, you have limited money.
If we get too caught up in paper trails, regulatory compliance, event tracking, ad infinauseum, then something will get dropped, lost, or destroyed; simply because the demands on time, effort, and finances are too great.
Your company has to decide what kind of security silk you’re going to make. How much monitoring can you really do? What protections can you afford? What facets of security are truly important to you? What are the most vital components of your strategy? What are you, the leadership, really committed to doing?
It’s best to take the necessary time to evaluate what you can really do and implement it properly with the right personnel. Then you’re creating silk fit for royalty. If you don’t, you’ll be making a grand but temporary web that will be too large to manage long-term, and it will end up worse than useless.