Pragmatic Security

A new way of thinking

Introduction

I’d like to start by acknowledging this isn't a one-size-fits-all topic; it's hard to cover this in a way that applies to a Fortune 50 global enterprise as well as a 100-person startup.  But having led security teams in both, I’m going to blend those learnings and indulge myself as I add some common sense.

Also, let me add a few statements my teams have heard over the years:

• “Frameworks are guides, not a book to be followed religiously.”
• “Common sense doesn't seem to be very common around here.”
• “Sell it small: If you make it sound huge and expensive, it's unlikely to be approved; make it easy for your boss to say yes.”
• “Sales Machine: I blame Microsoft for all bad decisions because they started with a pitch via PowerPoint.”

I’m a very vocal communicator, so I know I’ve said way more nonsense than that.  The point is that we’ve all struggled over the years to balance internal and external influences as we ply our craft.

There are over 3000 Cybersecurity vendors and over 20 frameworks and don't get me started on the reams of documents, analyst reports, alliances, working groups, and other media to help with information overload.

The result is less experienced leaders often struggle with how to start and how to deliver. I built a reputation at an early age of “getting shit done”; we even had a podcast, “Get It Started, Get It Done.”  Over 32 years I went from being an idiot with a screwdriver to running large global organizations with budgets of over $50m a year.  While on that journey, I came to realize that it wasn't about enabling a network to run or people to log in but about understanding the business.  As you rise in your career, what matters changes. As you get higher up the ladder, you notice that the conversations are different.

Again, it very much depends on the company, its scale, its business model, and its structures.  

Pragmatic Security

It’s with that context that I then share our concept of pragmatic security.  Remember my four bullets above?

• Frameworks are guides
• Common Sense
• Sell it small
• Sales Machine

In all cases, we are hit from all directions as we try to craft a strategy and execute it with haste, but there are always distractions and, even worse, lots of people with “feedback.”

Security Purists 

If you were around at the start of ITIL or ITSM, you’ll remember everyone figuring out what it all meant.  Then instantly over-rotating on complex processes and expensive tools.  In the early 2000s, I was leading a team at Adobe and helping with their first-ever ITIL endeavor.  Lucky for me, I had been part of an ISO certification in Europe in the late 90s, so I was ready for the ensuing BS that was about to hit the fan…  People read those texts, books, and other cannon fodder and went to town, creating over-complicated processes that slowed IT down to the point of embarrassment.  “IT teams across the globe became too expensive and too slow,” said every engineer in [insert your company name here]….. 

Those books became bibles.

I don't remember why, but I guess I was being punished as around 2010, I ended up being asked to lead ITSM at Adobe.  We took what was an 18-month project and created 12-week sprints, redefined what ITSM meant, bought a beer fridge, partnered with Pink Elephant and PWC, and rebuilt all IT’s ITSM processes in around nine months.  One of my friends (Simran Sandhu)  in Adobe described it as we did open heart surgery while the patient was still working.  Why did that matter, and how does it relate to our security industry?

Well, we do the same thing - we look at the security scriptures and then go building programs, buying tools and putting policies and processes in place.

How many times have you looked at a compliance framework and called BS on some of the things they are asking for? We forced password changes every 90 days? BS. People just incremented the number at the end, or some other stupid variation.

DLP? Seriously? Read the Verizon breach report. What percentage of data was stolen because DLP wasn't in place? Oh, what about Vulnerability Management?

So, the purists will call BS on me about now…. Talk about the SANs top 10. Yup. I got it, but…. 

When Your Budget Is Tight

You don't have unlimited money; if 80% of breaches originate due to stolen credentials, lack of MFA, email compromise, and clicking links, then how about you focus there first?

We work with several vendors who can nail that use case in just a few days but hold one a minute before we call them. That's not the point of this little chit-chat.

The point is, let's get pragmatic. I'm no math wizard, but maybe there’s an equation:

Pragmatic Security

“The term "pragmatic" refers to an approach that is practical and focused on results and effectiveness rather than theoretical or abstract ideas.”

Back to the bullet points above where I joke about PowerPoint and slides–How many times have you watched a leader share their vision, which is never delivered?  Pragmatic, to me, means it’s about delivering practical solutions.  But it's also about looking at what you’ve inherited and deciding what makes sense to continue to invest it at that level.

I inherited organizations and reduced spend in certain areas that, frankly, didn't reduce the company risk; but added friction.  It’s important that you assess what processes, technology, and people are in place and how they serve; since the strategy of the business.  Not just reduce risk.

Security Architects

OK, before I kick this bucket.  Yes, there’s a wide range of quality here, since I’m writing this blog, then I can air I’ve had many of these people in my teams over the years.  They often have big egos (like mine, I guess), but I think many companies don't know how to define the role and most companies have different ideas of the role.  But for me, it’s one of the most influential roles in our industry, which is where I lose patience when I meet architects who are failing to revolutionize and realize their opportunities.  If you’re an architect and reading this, please be pragmatic.  

Here are some statements that stuck with me over the years:

• “We don't consider budget, implementation or operational costs when architecting the solution” - Cisco Security Architect
• “What do I need to complete for approval to test this out?” - Adobe architect. I said,  “Nothing. You are approved.”
• “Den, don't try so hard to be an ass.” - Adobe Architect and still one of my good friends
• “They can't launch until we agree.” - Architect on Ivory Tower
• “If they get Mimikatz on the laptop.” - Architect demonstrating how certificates are not as secure as passwords

Sigh…I stopped at 5. But one of them was me being an ass…I know there are more lines of that example…

So, let's get to our conclusion.

Our 5-Step Pragmatic Security Framework?

The goal here is to bring common sense to the industry.  Stop spending money on tools you never deploy correctly or don’t have the staff to manage.

If you're a board member or CEO, what's your take? Oh wait, did you get this far? That's right, let's not have you be in the news. Do just enough to keep everyone good, right? 

See, pragmatic is understanding the goals of the business. They shouldn't be security purists; that's why we have to become pragmatic.

We’d like to think our approach is different from the rest of the security firms out there.  Here are a few highlights of our process:

1. Learn your business
2. Determine the risks to your growth and profitability
3. Assess your IT and Security people, process, and technology
4. Cost-saving Recommendations: consolidation, optimization, and how to reduce friction and risk
5. Enable your execution (bring in the experts if needed)

Our goal is actually to look at your business and figure out how to reduce your IT and Security costs while at the same time reducing your risk.We fully expect the cost of our services to pay for themselves over time as we find ways to save you money.Our total disclaimer here is - we’re not reckless, nor will we cover things up. We are transparent, honest, and want to help. Reduce your risk and expenses.

What makes us different?

We don't sell you on the need for a big security program, nor do we hide behind complex or hourly pricing.  Our aim is to be as transparent and open as possible. Our pricing is intended to deliver value to our customers with no surprises.

We’ve all been burned before paying hourly rates for deliverables that sometimes never arrive with the quality you expect.  Our subscriptions are available for those who wish to leverage further discounts and a predictable billing cycle.

Ready to protect your business with pragmatic, expert-led security? Contact us today to discuss how 909Cyber can safeguard your company’s future.

What number of cybersecurity frameworks are there worldwide

It is difficult to pinpoint an exact number of cybersecurity frameworks worldwide because new frameworks are continually being developed, and existing ones are often updated or adapted to meet the changing landscape of cybersecurity threats. Additionally, there are many frameworks tailored to specific sectors, industries, and regulatory environments.

However, some of the most widely recognized and established frameworks include:

1. NIST Cybersecurity Framework (CSF)
2. ISO/IEC 27001
3. CIS Controls
4. COBIT
5. PCI DSS
6. NIST SP 800-53
7. Cyber Essentials
8. SOC 2
9. GDPR (from a cybersecurity compliance perspective)

In total, there are dozens of frameworks when considering various regional, industry-specific, and proprietary models. Many organizations also adapt existing frameworks to create custom models that fit their particular needs.