“If only we buy this magic fairy dust security tool, all our security problems will go away!”

…every time you buy a security tool for your employer, part of your subconscious secretly hopes for this, right? Maybe you don’t even admit it to yourself, but security vendors certainly try to exploit this reflex.

The problem is that when you are on a budget—and if you work in the private sector, you most definitely have a budget—you have to do the easy stuff before you do the hard stuff. You have to crawl before you can walk.

Buying some expensive security tool that’s going to mitigate the risk of some exotic attack makes no sense when 1) you haven’t dealt with the “blocking and tackling” work and 2) when you don’t have the security staff to have eyes on glass.

This is a problem because security people are expensive and companies don’t like spending money on risk management in a down market.

But security is a process, not a product. It’s about the way we do things, not what we build or what we buy.

Security people are low-hanging fruit pickers for a reason. Spend scarce resources of time and money to get the easy security wins, and then focus on keeping those wins by doing those things consistently.

It’s about consistency.

Consistency is king. Consistently nailing the blocking and tackling, getting the basics right, day in, day out, drilling drilling drilling. This is what makes attackers’ lives miserable.

Most post mortems of major security incidents read like a bad pen test report by a mediocre junior hacker. Force your adversaries to put in some effort or go hack someone else instead.

And I measure my success as a defender by how miserable I can make an attacker’s life. Either the bear doesn’t care who they eat and they go attack someone else, or I’ve bought my employer some time, and who knows what the future holds?

Why is this on my mind right now? I get bombarded by cold pitches from security vendors to my work email, to my personal email (don’t do that), to my LinkedIn account (OK, but the answer is probably ‘no’), and it makes me think, why would I buy any of these tools? This is not good value. Besides the fact that I’m not going to spend my employer’s money on some random startup’s new whiz-bang gew-gaw that’s still in beta, there's no point in collecting a vast amount of security tools.

Keeping your security tooling to a manageable number is vital, I feel. Too many companies wind up burning cash on a ton of security tools that they don’t have the staff to even use. And the staff time you have would be much better focused on doing the basics, the blocking and tackling work.

Now, there are certainly times when it is cheaper and more effective to outsource security work. The decision to do work in-house or outsource it is one I am confronted with on a monthly, if not weekly, basis as a CISO. Making the right decision is critical to maximize my Security ROI. I am a steward of my company’s resources, and I need to spend that time and money wisely to minimize security risk and maximize business velocity.

But often the cheapest and most effective strategy is to do work in house, and rarely is it “buy yet another random security tool from someone who messaged me on LinkedIn.”

Pssst. LinkedIn vendor reps. Take the hint. Winkey winkey.