Keep It Simple, Stupid: Less is Sometimes More When Preventing Security Breaches

George Finney, Chief Security Officer, Southern Methodist University

George Finney, Chief Security Officer, Southern Methodist University

When I was 12, my stepmom introduced me to the acronym for the phrase, Keep It Simple, Stupid, or KISS. She wasn’t a wicked stepmother, but my initial reaction was to be offended. Who are you calling stupid? Little did I know that the phrase was actually coined by the lead engineer, Kelly Johnson at the Lockheed Martin Skunkworks lab.

Johnson’s idea was that all their designs should be simple enough for a soldier in combat to fix with only limited training and basic tools. It was this principle that helped in the development of the SR-71 Blackbird project, one of the greatest feats of engineering of all time.

As it turns out, my stepmom was right. I do have a tendency to complicate things, and since I work in cybersecurity, that turns out to be a problem. Keeping up with cybersecurity threats is difficult enough without having to simultaneously thwart the bad guys, but we also have to sort through a massive selection of tools to assist in that defense. It’s natural to want the best products and best practices. But should you adopt best of breed or a unified platform? it’s a daunting task to pour over the estimated 2,000 plus cybersecurity vendors out there—not to mention all of their products and various services. It’s nearly impossible to keep track or even keep up.

There are six main categories of cybersecurity product that every company needs to function: firewall, email protection, anti-virus, logging, vulnerability management, and identity. But there are a lot of other products out there, and they all fight for recognition as a whole new category (such as data leakage, user behavior, or deception). I’ve spoken with CISOs who use more than 100 different products from different vendors have, many of which they don’t fully utilize and some they haven’t even implemented.

“If we look for experience with specific products in the hiring process, we could accelerate a migration, but we would also limit the candidate pool of talented engineers in the process”

There are also a number of companies out there that offer a variety of services that complement the product categories above. Among them are the main six: compliance assessments, MSSP, Penetration Testing, forensics, breach response, or Security Awareness. While some companies might be great at one service, they might not be excellent in every area. Some service providers offer cutting-edge services, but require you to use specific products and if you don’t already own them you might have to migrate or duplicate services.

If the cybersecurity sector could simplify the process of dealing with products and services, there is another challenge: vendor lock in. We’ve seen this several times after some of our largest providers were acquired and service levels went way down. Moving away from these companies has been a huge distraction, requiring lots of retraining, and takes away from our focus of protecting our organization. If we look for experience with specific products in the hiring process, we could accelerate a migration, but we would also limit the candidate pool of talented engineers in the process.

At Southern Methodist University, we have a highly technical team that is focused on retraining current staff. However, it can take months or even years to really learn a particular product. In a few years, that product could have evolved into something entirely new or become extinct. This is why more consumers are going to manage services that fill the gap. And, of course, that works until a business or institution decides to switch service providers. In addition to a new learning curve, the corporation loses any institutional knowledge or customizations they made along the way.

Here are some cybersecurity strategies that might help:

• Minimize. Streamline. Look for opportunities to reduce products, and fully utilize the products you have.

• Understand what your strengths are and play to those while finding partners to help you with policy areas where you need help. We at SMU have focused on awareness, designing our own quarterly newsletters, challenge coins, calendars, and more. There aren’t many partners out there that can deliver the quality and understand our community.

• Focus on prevention first. If you can stop attacks early, you won’t have to spend as much time cleaning up afterwards.

Stick to the basics. Many breaches in the news could have been mitigated by focusing on the basics first. You don’t need the latest cutting-edge product, you need to ensure you’re fully patched, backed up, and have strong processes that can prevent issues before they arise.