[Dailydave] Drinking the Cool-aid
dan at geer.org
dan at geer.org
Thu Mar 20 12:18:05 EDT 2014
| Networks are often the result of successive technological layers. As
| organizations take on new business, face new threats, reconsider
| security notions (e.g., insider/outsider), or embrace "new" security
| paradigms, more security products get deployed, adding complexity and
| increasing the attack surface.
|
| The picture that emerges resembles one big security contraption. It is
| hard to tell at what extent it will work as intended.
The question to ask your favorite CISO/CIO/General Counsel is
Have you or would you ever decommision a security product?
With the Index of Cyber Security (which I run with a colleague),
in September, 2012, we asked a form of this question:
What percentage of the security products you are running now
would you still run if you were starting from scratch?
0-20% 5% of respondents
21-40% 15% of respondents
41-60% 20% of respondents
61-80% 27% of respondents
81-100% 34% of respondents
Clearly, there are many who seem to be happy with what they
have, and yet there is a significant number that thinks they
could do better. One in five respondents reported that they
would keep less than 40% of their current security products.
Averaging the results, as many as 1 in 2 products at the higher
end of the range, or 1 in 4 products at the lower end (25.4%
to 45.6%) would be discarded if starting from scratch were to
be an option. The mid-point of these high and low ranges was
35.5%, or roughly 1 in 3, which was interestingly high.
Part of the explanation here is surely that no CISO/CIO/GC wants
to stand up in a Management Committee meeting and say "Our investment
in the PushMePullMe Scanner has proved to be a total loss; we need
$X,000,000 to decommission it and buy the tIPSy-nIPSy system instead."
No, it will be to *add* tIPSy-nIPSy to the environment and leave
the the PushMePullMe Scanner up and running.
--dan
More information about the Dailydave
mailing list