We, as security professionals, want to do the right thing, making sure everything and everyone is more secure. This brings a lot of problems of our own doing into a world of security, a place that is already complex, and more often than not complicated as well.
Maybe we need to start asking a few questions to ourselves and our teams before we approach each problem.
These are the questions I usually ask myself and my team:
1. Is this the right problem to solve?
Are we focusing on solving the right problem? Is the solution for the issue at hand a simple one? If it appears to be more complicated than needed, then we might not be solving the right problem.
Some problems are not ready to be solved yet.
We need to ask ourselves: if we split the problem in smaller pieces, is it still complicated to solve?
If yes, then ask: do we have other, more pressing priorities? Most likely we do.
2. Has anyone else solve this issue?
Let’s ask ourselves if anyone else has already done the leg work. Better security means sharing lessons learned, so let’s search if other teams have already solved the problem. Sometimes it’s the simpler solution.
3. Does the solution click?
If we think we still have the problem to solve and no one else has solved it, then we need to find the solution ourselves. However, let’s focus on finding the simplest way to attacking the problem.
Then let’s ask, does the solution we think we found make us go “how come we didn’t do this before?” If it doesn’t then it might be too complex, or not the right solution.
Is there any way to find a way to solve the issue with something so obvious that we are left wandering why no one else is doing it? It might take some extra time, but the exercise of answering this is worth the effort.
4. Can you explain the solution easily?
Can we diagram it on a napkin in a simple way? Can we explain it in plain terms, to non security people? If we can’t, then it’s not as simple as we thought.
Can we simplify the solution then? Can we remove the more complicated or complex parts of the solution and replace them with simpler processes or services?
When security is simple, then we can begin to understand better when things don’t work, and when things are about to go sideways. As Principle 6 states:
"6. Keep It Simple
Have clear priorities and communicate them in a simple way. Strive for procedures and automation that are easy to follow and are repeatable. Security supports a larger objective, don’t develop in a vacuum."