Networks today are often very complex and, too often, in a state of disarray from years of piling on more software, hardware and other ‘solutions’ as our business grows.
Complexity may not be something we were expecting or envisioned as we expanded our network’s capabilities, but nonetheless many IT shops continue to implement ‘the next best thing’ to solve ‘the next big problem’. As Garry Sidaway explains here, the cybersecurity market is white hot.
As humans, it is natural for us to have the mindset of ‘there’s an app for that’ when looking for solutions (a product of years of marketing brainwashing I assume). However, sometimes, fixes to problems are over-engineered and provide too much of a solution. Or, at the least, they bring additional complexity by adding features that are beyond what was actually needed to solve the original problem. Adding complexity is rarely the answer. In many cases, viable solutions may already exist in an organization’s current infrastructure, but the desire to throw hardware or software at the problem is the default choice for problem solving.
Compliance initiatives help organizations by providing a roadmap for achieving a certain level of security and assurance that due-diligence has been performed to help protect data. However, in many cases, these initiatives cause panic and make us think we must add more software and hardware to be compliant. This is a misconception. In most cases, compliance initiatives mandate certain controls should be in place to protect data, however, you should remember this does not mean to spend a lot of money if you have existing controls you can refine to achieve compliance.
What we should be looking at is the use of technology to aid our efforts in becoming more secure and the products and techniques used should provide real value. Ultimately, we should strive to help our organizations meet their goals without having the solution inject complexity resulting in more problems. Remember, we want to solve security problems, not transfer risks to other parts of our network for us to fix later, or worse, for someone else to fix.
In the face of an incident, complexity of your environment can lead to complexity in identification, isolation, mitigation and disaster recovery. Keep it simple where you can, but apply enhanced controls where it makes sense.
In closing, I offer the following advice:
- Implement security controls when and where they make sense and provide real value
- Review your defensive posture on a regular basis
- Consider compliance requirements when selecting and implementing security controls
- Aim to reduce complexity of your network environment when implementing new solutions, not increase them
- Solicit help from third party network architects to obtain an outsider’s view on where your organization’s blind spots may be.