Most companies have a lot of security policies to protect their assets and then there is the best of breed security technology added for each technical problem to solve. That way we can ensure that we did everything we could to protect the business â€“ right? Well I do not completely think.
I read this article this morning: Uncovering the Dangers of Network Security Complexity â€“ it is not really news that complexity is an enemy for security. But read this:
Think about this for a minute. In our attempts to defend the network and critical assets from cyber threats, we have fallen into the trap of bolting on more and more security layers and policies. The result is that we’ve increased the level of complexity within the environment to the point where we have actually created risk because of human errors, misconfigurations, etc. It is vital to get a view of all of the security policies across all of the different devices and vendors in a way so you can understand where your gaps are, not just by device/policy, but as a whole. Also, you should always consider what is already in place and see if there are current policies that need to evolve or be removed before you add on more layers or policies.
It is probably time to re-think our strategy â€“ no? I am a firm believer that security can only be effective if it adds business value â€“ does it in your case? I know that the classical protection and incident response will be part of our job but think where you add value to your business and try to re-duce complexityâ€¦.