This is an ongoing series of guest blogs written by TAG Cyber analysts in conjunction with various members of our SPHERE team. Offering insights from the perspective of the professional industry analysts combined with a technology company focused on the goal of establishing cyber hygiene. This article comes from a fearless leader, CEO & Founder of TAG Cyber, Edward Amoroso.
Enterprise security decisions are driven by two objectives. The first involves the active mitigation of live cyber-attacks to production systems. This objective should be obvious, since the purpose of establishing any security program is to reduce the consequence of real cyber threats. One should therefore expect attack avoidance to be a primary objective for security – and it usually is.
A second objective, however, involves establishing compliance with some set of requirements. If properly implemented, compliance can reduce risk by closing gaps, clarifying controls, and identifying weaknesses. The problem, however, is that certain aspects of modern compliance across government and enterprise have tended to drift away from this basic objective. In a nutshell, the problem is that compliance has become too complex. The process of demonstrating compliance can be lengthy, the tools required to establish compliance have become complicated, and the expense of maintaining compliance has grown too high. The result is enterprise security teams tend to discount compliance programs – if only because they dread the day-to-day work involved.
Our recommendation as TAG Cyber analysts is two-fold: First, we would plead with the purveyors and stakeholders of security frameworks, platforms, and processes to simplify wherever possible. Most security frameworks, for example, tend to move forward in successive versions by always adding new requirements – and never removing. This seems like a bad approach.
But second, we believe that enterprise teams would be wise to clean up and simplify their own systems, applications, and infrastructure. As one would expect, if a complicated compliance process is used to review a complicated enterprise security architecture, then the result will most likely be an explosion of complexity. And this is never a good idea when dealing with security controls. One great advantage of the solution offering provided by commercial security vendor SPHERE is that their platform and associated set of services are designed to clean up security configurations, with emphasis on identity-related systems. As one would expect, most security configuration mistakes are related in some way, shape, or form to identities – so this emphasis is welcomed.
The action plan here for enterprise should be obvious: Compliance programs are certainly not going to go away soon – and despite the recommendation from analysts such as at TAG Cyber, it also seems unlikely that framework requirements are going to be simplified soon. (We hope this will happen eventually, but we must be realistic.)
Enterprise security teams must therefore control the one variable in their purview – and that is the complexity of their own systems and infrastructure. This is why we believe that identify hygiene tools such as from SPHERE will be essential to avoiding the increased complexity that will come from establishing compliance for any modern computing environment.
Let us know what you think.