Moving to fast fail

Managing security for today’s enterprises is an increasingly complex task. Just look at the environment you work in: threats both inside and out, legacy technologies that may be exposing your systems through unknown or unpatched vulnerabilities, new technologies being rapidly adopted by the business (often without any input of the security team), and users, acknowledged as the greatest risk of all. It’s a Sisyphean task – you keep pushing that boulder up the hill, only to have it roll back down to the bottom where you must start all over again. But how best should you approach this complex risk environment?

The threats you address today are a moving target, but so are the ways you mitigate those risks. In 2002, there were 730 some odd vendors offering security solutions to companies like yours. Today there are more than 1,600. So many options that most security teams struggle to even know where to begin. It’s made deciding which options are best for your business (pardon the continuing Greek mythological references) a Herculean task. The same holds true for best practices. At CSOonline we’ve been writing about best practices in security for more than 16 years, but the reality is that few best practices can be applied universally. What’s right for one company, is not always right for another.

The greatest challenge, of course, is that no one can afford to hit the pause button, even if there were such a thing. Business is not going to come to a grinding halt while you figure out the right course of action, nor should it do so. This may sound odd, but security needs to act a little more like devops – it must be developing, deploying and managing solutions all at the same time. You’ve heard the analogy before, but you need to be building the car while it’s still driving down the road. And, you need to fail fast.

In my many conversations with leading organizations I’ve heard the most successful of them say that one of the keys to their success has been a willingness, almost an eagerness, to fail fast. They embrace it, in fact, as a testament that they are building an effective security environment for their organizations. Failing fast allows them to learn from their mistakes, avoid future similar mistakes, and address risks far more quickly than the traditional model of solution deployment.

Failing fast is also important because it can help an organization move from a tactical posture to a strategic one. Constantly putting out fires is a giant suck that eats time, budget and resources. We also know from our own research that businesses that can be more strategic about security reap significant benefits, including fewer security incidents, less downtime and fewer losses.

Driving to reduced risks is, in and of itself, risky. But if you’re afraid to fail you’ll never learn what works best.