Whenever you roll out a new security architecture, the collaboration with the architecture and development team is fundamental to success. Push back from those teams can come in all sorts of ways, they may think the security team is over reaching. Development teams justifiably worry that the security requirements will swamp the budget and make them blow their timeline.
I was on a project and we did a review with tech leads and the comment at the end was "I am surprised it was so boring", I said "I take that a compliment." Security architecture shouldn't be about making people's headpsin or trying to be a security rockstar. Just because 80% of the industry does it, doesn't mean its the most effective choice. Make things simple to understand, simple to build, simple to integrate. Boring is good.Better yet, your designs may actually make it into a real, live production system.
On a related note, an interesting company that excels in risk management is Markel (a so called baby Berkshire), and on Markel's Q3 earnings call, Tom Gayner picked up on a similar theme (and managed to work in a Princess Bride reference to boot):
"Prior to this call, I was speaking with one of our long term shareholders about the conference call process. He told me that he has owned the stock for about 20 years and called us boring. He said that he really couldn’t imagine us saying anything in the call that would change his mind about Markel and his long term ownership of the stock. I thank him for his honesty and actually I agreed with him.
Our number one goal is actually to still be here 20 years from now and delivering a report just as boring as this one. I suspect what he told me was true for our loyal and long-term owners to provide us with the capital we need to run this business. I also suspect that it’s true for shorter term followers of the stock that usually issue a sell recommendation immediately following this call.
As the character Inigo Montoya, said in The Princess Bride, "You keep using that word. I do not think it means what you think it does." I will leave it to those of you who would access to the long term part of the Markel to decide which unchanging point of view you wish to embrace. The force that propelled the 27 year line on the chart up into the right cannot be found within the sales of the spread sheet.
Boring works for me when it comes to talking about our financial results. We shouldn’t be that excited. I am all in favor of grinding it out along the same lines that we have through our 27 years as a public company. We’ve looked after the capital that you entrusted to us and we produced wonderful returns for the owners of this company.
Roughly speaking, the longer you run Markel the more money you can make. And by the way while it may look and sound boring, I can promise you that we’re having a lot of fun doing this. There is not a day that goes by when I don’t hear laughter at this office. In addition, they are some days when we are simply stunned by what happens. I promise you that we are not bored."
There's one more Markel story worth sharing, and that is when Tom Gayner, noticed that whenever the phone rang in Steve Markel's office, Steve would wince. Tom asked why and Steve said "there's no such thing in insurance as a good incoming call."
So it is with security, strive for boring.
I went to the Cloud Identity Summit in Napa this year. Just like every year there were great talks that showed new ways to solve old problems. One of my favorite was from Amazon on their cloud identity and security work. It was an incredibly boring talk actually. Watching Amazon's IAM progress can be like watching grass grow.
Too true. So why was the Amazon talk one of my favorites? It was talking about a real system, deployed, at very large scale, that normal users can build, deploy and run. That counts for much, much more. Its substance. Plow horse, not show horse.
Josh Corman's recent tweet is true for sure:
The reverse of that is also true - the difference between doing lots of little things better (checklists) versus el grande silver bullet "solution."
I was talking with someone who spends time on visualization, and I mentioned how helpful better metrics on control efficacy would be, measuring their resilience in different scenarios. The response I got was "that's not sexy" and that it was better to focus on threats and graphics. Lots of people in the industry think that. I do not see that way - that's not engineering and finding and building margins of safety, its a fashion show, tailored for security conferences.
Security doesn't need new protocols as much as it needs way better integration on the ones we already have. Integration is a slog but the long run payoff of having a more resilient system is worth it. Stay boring, my friends.
(Markel's 27 year stock chart)