There’s an imaginary line that lives between efficiency and security and generally speaking, those that straddle these two are prone to falling towards one or the other side. I’d like to suggest that these two concepts aren’t independent or opposites but rather complimentary. Does greater efficiency result in lower security? How do you determine where to draw that line and why do some companies get it right while others get p0wned?
I think it’s safe to say that neither security nor efficiency can ever be fully achieved, there are ALWAYS improvements you can make. The main question is whether those improvements will yield positive results for the company without breaking the bank or causing excessive pain to the business.
In case you missed it:
Let’s imagine you are the newly minted CIO/CISO of an enterprise SaaS company that hosts a number of products. Your products are “multi-resident” which means they share certain server instances to control costs but the majority of the processing is separated into private networks for greater isolation. Your CEO has told you that cost control, uptime, and efficiency are the highest priority and with that in mind, you begin your assessment.
After your first week, here are your top seven concerns:
- Endpoint protection is practically non-existent, there are two of the cheapest solutions money can buy, on a positive note one of them has a REALLY cool system tray icon.
- EVERYTHING is entangled in a single massive active directory (AD), if someone has admin access, they have the keys to the kingdom.
- The “management” network is a single segment housing five completely distinct (poorly implemented) administration panels to control all environments.
- Backups work sometimes but from what you can tell they’ve never been tested.
- Uptime is pathetic, most environments don’t even hit 90 per cent because everyone has access to “manage” the systems as they see fit.
- Lots of systems have “shared” accounts for folks to log into and do what they need.
- Your team’s efficiency is abysmal, they’re firefighting 24/7.
Before we answer the security and efficiency question, from the list above, where would you focus your immediate attention? There is one item that stands out above all the rest in my mind. Don’t get me wrong, everything that’s listed above is seriously problematic, but without the ability to properly backup and restore your environment(s), your goose is cooked in the event of a major attack or failure.
If you deconstruct the remaining items on the list, they’re all due to the lack of strong enterprise oversight. The key to being able to manage and maintain any environment(s) lies in simplicity, the KISS principle is your best friend. You’re always going to inherit problems, but your ability to break them down into simple forms and deliver elegant solutions will mean the difference between success and failure. If you get distracted easily with shiny new toys, you’ll end up with pain and suffering. If you can stick to the fundamentals and build off that base, you’ll see a marked improvement in both security and efficiency.
Let’s consider a simple example: If my team has to run 50 software products to manage systems and security, how effective do you think they will be?
I’m always shocked at companies that run large numbers of systems and expect their teams to be experts in all of them. That’s just a joke. Unless you are made of money, your team will have a few folks that are good at a few software products, the rest are just “best-effort” when it comes to administration.
If you are doing it right, implementing efficient systems will actually improve security by lowering the number of points to protect and complexity. The illusion of security created by hundreds of shiny protection toys is just that, an illusion. Similarly, by implementing proper security, you actually create the structure and processes to make your teams more efficient. Simpler environments, simpler automation, simpler administration. If security is a hindrance to your business, you’re doing it wrong.
When you make the move to a more secure and efficient model, here are a few tips:
- Limit the number of tools your team has to use – find the right tools that get the majority of the job done. Stop buying tools for the sake of having all the best toys in the class.
- Set clear deliverables for your team and make sure they are compartmentalized. NEVER leave your team with hundreds of projects on the go and no end in sight.
- Prioritize your projects based on risk, don’t just grab a project because you think it will be an easy win.
- Connect with the business! Figure out what drives revenue and you’ll find a willingness to fund your projects.
Feel free to reach out for help with your efficiency and security roadmaps, neither of these have to be complicated and I can guarantee you’ll see improvement.