It’s no secret that I love Las Vegas and all it has to offer including gambling.
To me, this is a natural affection due to what I do in my day-to-day life. Isn’t that what we as IT Security professionals do every day, gamble? But instead of gambling with our own money or chips, we are betting our company’s money and name.
Gambling by someone who knows what they are doing is not a game of chance but a game of knowing and playing the odds. It is about taking the right calculated risk at the right time with of course a little bit of luck.
If you look at your security strategy as a game of blackjack, you can apply similar strategies based on the rules and objectives of the game. The key to a successful strategy is figuring out what the odds are for each hand played or in the IT Security world, the likelihood of being dealt good cards or bad cards and being able to make an educated guess on what still remains in the deck.
Before playing each round, you have to come to the table prepared to play against any and all situations and combinations that you may face.
1) Know how much you can bet (budget): Step one is to place your bet. Before betting the farm, you better figure out how much you can afford to put on the line.
In addition, just because you can afford to bet hundreds of thousands or even millions of dollars doesn’t mean that you should. Remember to look around you at the other players at the table.
What level of investment are they making on a certain strategy or tool? I have found you can learn so much by talking to your colleagues and finding out how much they are laying on the line for a particular area. It’s everyone against the dealer (or all the threats out there) so you should work together where possible.
2) Know when to split: Diversifying your tools to minimize your risk exposure and giving you better odds of winning is a great strategy to deploy. Layering your protection against threats is a great way to protect your assets.
This does not mean you need more than one technology or tool to address a specific need. You can use a mix of people, processes and tools to layer a solution and minimize your risk.
3) Know when to double down: Investing more on a strategy, tools, people or processes. Once you have something in place to address a particular area of risk, it is important to continue monitoring its effectiveness and fit for purpose.
In addition, technologies are always changing, upgrading, expanding, etc. You may be sitting on a tool that can do a lot more for you and address more areas than one but in order to implement those expansions, you will need to double down your investment in that area.
4) Know when to hit: Adding to your portfolio with additional tools, processes and/or people to continue investment against a particular risk or focus area is a great way to improve upon your IT Security strategy.
You can get creative about how you make improvements on a current investment that can make significant enhancements without breaking the bank. Improving documentation, education and awareness around a solution or process can have a large impact.
5) Know when to stay: There will always be a point of diminishing returns on an investment. At some point in the lifecycle of a technology or a process, you will need to determine when is the right point to keep everything as is.
I do not mean that you will not need to continue to do regular patching and such (as we all know how very critical this step is in any technology product) but it means that any significant changes or improvements would not provide you any greater return on your investment.
6) Know when to get up from the table: Lastly, in the words of the great Kenny Rogers, you better know when to walk away. The key here is to know when to revamp your strategy or to consider an entirely new approach or technology for a particular area.
This is often hard because it could mean admitting a mistake or failure on a prior strategy or tool. But it is critical because if you don’t get up and walk away you could lose it all. Sometimes it is best to take a step back and look at things from a new angle and perspective to ensure that you aren’t missing something.