Security Principle #3 - Cut Roots, Not Branches

Posted on Mar 29, 2017 9:00 AM by:

cut-roots.jpgIn earlier posts, we talked about the first two of Intellinet's security guiding principles - Principle #1: Security is a process, not a product and Principle #2: Risk-informed, data-driven decision making - now, we will take a closer look at Principle 3: Cut Roots, not Branches.

To those with an operations or infrastructure background, the “roots” of this principle will likely bring to mind problem management, e.g. root-cause analysis in the context of service outages.

That’s one facet, but these “roots” go much deeper. Fundamentally, this principle asks the question: Are we focusing on the right things, in the right order, in the right way?

The impact of this question is ubiquitous, and answering it requires a grasp of vision, strategy, requirements, and risk. It will determine, for good or bad, the success and sustainability of everything you do.  In a security context, consider:

Are we focusing on the right things…
This should come as no surprise to readers of my other blog articles, but if technology is at the top of the list, the answer is probably “no”. Hackers no longer care about your firewall, they are after your people. In our modern cloud-first, mobile-first world, identity is the new perimeter.

…in the right order
Case in point, the order of GRC (Governance, Risk and Compliance) isn’t arbitrary; if you don’t do G first (and well), you can’t do R and C well. Businesses often want to implement technology that they don’t have the ability to govern effectively, which is one reason why it is so difficult to demonstrate a clear ROI for security technology. Years after deployment, the products are only partially-implemented, much less creating quantifiable business value.

…in the right way?
To paraphrase and re-purpose the Pareto Principle (also known as the 80/20 rule), 80% of your security will come from only 20% of your efforts. Are you prioritizing the 20% that’s yielding 80% of the results, or the 80% that’s yielding only 20% of the results? Frankly, most of the 20% investment that yields 80% of the results will come from doing the basics well, not from investment in the latest security fad.

Are you focusing on the right things, in the right order, in the right way? This can be a hard question to answer. We can help you to catalyze (rather than constrain) your business, by identifying, prioritizing, and implementing the things that matter most. Contact Intellinet today to learn more.
Topics: Security