There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this...
Giants Fan 1, "Man, that Albert Pujols is really something else. I sure would like to have him on our team."
Giants Fan 2, "We should offer the Cardinals three of our mediocre players for him."
Giants Fan 1, "That'll never work, they won't give him up for three mediocre players."
Giants Fan 2, "Okay, we'll give them 5 of them... heck give them 7 mediocre players!"
Giants Fan 1, "Yeah... this is starting to sound real good."
The fallacy says that if you add up enough average players they are worth a superstar. Or as I've heard it explained before, make a tall enough stack of trash and it just might work. The problem is that there is no amount of mediocre talent that adds up to Albert Pujols' value. He is simply worth too much to be replaced by a commodity. The same is true of any exceptional talent.
So, what does this have to do with information security? This seems to be the same strategy many organizations use when it comes to implementing defense in depth. They focus on making the tallest pile of security measures. But when it comes down to it, a mile's worth of depth isn't worth one truly effective measure.
We have all heard that a defense in depth is required for an effective security program. But in many ways defense in depth has become a security blanket for companies, rather than a security strategy. The number of different technologies may give a nice sense of security, but provides negligible added value.
This means that organizations that are racing around trying to purchase and implement the latest and greatest should stop. Take a hard look at those systems you already have in place, and figure out what you're getting from them. Real risk mitigation is not about having all the greatest countermeasures, it's making sure that the countermeasures you have in place can do the job.
This is good news for just about everyone involved (though, not so much for the VARs and technology manufacturers who will be losing the sales). The company can save money by not buying every solution out there. By focusing on the highest impact defenses first, and thoroughly, they can spend less on new technologies while getting more results.
The technical employees win because they are able to invest more time getting to better understand and master the technologies they have in place. There is a ton of value in being the master of a few technologies, rather than familiar with many.
For those companies who see themselves stuck in this situation, think of this as a money saving opportunity. Look at your security stack, and do some real analysis on the technologies you have deployed. Are they really providing the security they promised? Are there significant features and functions you haven't even turned on yet because you haven't had the time or staff? Take the time to answer these questions truthfully and candidly. Your answers should lead you to optimize or drop those which aren't currently supplying significant value.
After you have maximized the impact of each of your technologies, it very well may make sense to add more depth. That new web application scanning tool, or DLP technology absolutely can make your organization safer. But by putting off their implementation until rest of your tools are properly configured you not only save money, you make your organization more secure.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.