550 words, 2 minutes.
“All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved” - Sun Tzu.
This is the 6th and final post in a short series on winning systems for security practitioners. The first post feels like a while ago already, about 6000 words or 25 minutes. Those minutes haven’t been wasted.
The Inevitable Car Analogy
If you’ve come this far then you’ve already completed one whole lap around the circuit of winning systems.
It’s over to you to drive the 2nd lap solo. This time you’ll start to develop a security transformation plan. On your 3rd lap you’ll be in a position to evaluate what products you have, what you need, and what you can do without. By the time of your 4th lap you’ll be making configuration improvements. The 5th lap will be a wet lap, there might be some hazards, maybe a spin, it will have you improving your resiliency. By the time of the 6th lap you’ll know the circuit so well that driving will become automatic.
With every subsequent lap the car gets lighter, the time comes down, the tyres grip harder, and your lead will grow. We know this race doesn’t have an end. If it did, it would only be a matter of time before you’d honed your performance enough to lift the trophy. Inspired skills make for an exciting driver, but it’s consistency and a winning strategy that makes a world champion.
So how did the last 25 minutes learning the circuit compare to a 3-day product training course? Or a 3-month certification study and exam? How will those things compare after your 6th lap, or your 60th?
Systems Versus Products
I’ve deliberately tried to avoid mentioning products or classes of product. Products come and go, as do vendors. Some are better than others. Even the best in each category only enjoys a few years at the top. It’s no bad thing. Some products have features that can be used at more than one point in a given system. Some lend themselves to more than one system. Continuous improvement and innovation in products is necessary to cope with the rising volume and sophistication of attacks. New ideas, new companies, new people. Products and vendors should always be the instrument of winning systems not the other way around. How else are you going to maximise the value you get from a finite Capex and Opex budget?
Systems Versus Skills
Perhaps you’re lucky enough to have some highly skilled security professionals in your organisation. Adopting winning systems frees them up to do the work that only they can do. The hard part, the “learning the lessons” part, the part where you get stronger after each attack. Systems are force multipliers for the skilled, not the other way around.
Did I mention it’s easier to document systems too? That could come in handy if anyone brings up compliance or audit.
“The first gulp from the glass of skills will turn you into a CISSP, but at the bottom of the glass, systems are waiting for you”