Dr Larry Ponemon
Following last weekend’s Glastonbury Festival, many baby-boomer security professionals will be back at their desks buoyed by the performance of the Rolling Stones. The ageing rockers’ ability to win over a much younger audience with 70s classics like ‘Can’t Get No Satisfaction’ has in fact provided a lot of satisfaction to their peers that the older generation still have something to offer.
But what price job satisfaction for those CISOs? That’s a lot harder to come by.
Back at the coalface, security is a constant battle against criminals, opportunists, state-sponsored hackers, and careless or corrupt insiders. There is no ‘winning’ this cyber security war, just a continual effort to shore up your defences as best you can.
That pessimism is encapsulated in the popular saying that there are two kinds of organisation – those that have been hacked and those that don’t know they have been hacked. And this week, MI5’s head of cyber intelligence has chipped in with the similarly memorable joke: “There are now three certainties in life – there’s death, there’s taxes, and there’s a foreign intelligence service on your system.”
It’s in this knowledge that US security expert Dr Larry Ponemon has put forward his own saying for CISOs: forget job satisfaction, Ponemon advises, instead you should be settling for being “satisficed”.
Ponemon first heard this word – which conveys a compromise between ‘satisfy’ and ‘suffice’ – from his former teacher at Carnegie Mellon University, Professor Herbert Simon, who won the Nobel Prize in 1978.
Simon’s theory was that humans should aim to be “satisficed”, on the basis that it is unrealistic to aim for perfection. Instead, we should recognise our limitations and go for what is simply acceptable and achievable.
Larry Ponemon applies this philosophy directly to the IT security profession. The “satisficing” approach accepts that you will be breached; and it accepts that even if you try to get the very best firewall, the best anti-virus product, you still won’t be 100% successful.
Because, for one thing, if you buy ‘best-of-breed’ products from dozens of different vendors, what chance have you got of ensuring all these individual systems can be integrated and interoperate? And on a personal level, if you try to keep pace with every new development, every new product launch, you could drive yourself mad.
Ponemon believes more IT security professionals are coming round to this way of thinking. “Complexity has become a very big problem,” he says. “We have noticed there is a trend away from ‘best-in-breed’ technology. Organisations have continued to ratchet up the complexity to the point where even if these solutions are really good individually, as a coherent unified system it really wasn’t working very well – there were just too many gaps.”
“We’ve noticed a trend to ‘satisficing’ behaviour – you are not trying to optimise because it would take too long. So instead you ‘satisfice’ – you choose what is OK. We’re seeing companies starting to move from many vendors to a few vendors, picking a vendor that could provide a platform, different solutions but it’s all under one umbrella. The key is that by doing that, it becomes a little less complex and can be more effective, even if these tools are not perfect.”
All of this is a curious repeat of the great “all-in-one versus best-of-breed” debate that defined the ERP market back when the Rolling Stones were merely middle aged. And if Ponemon is right, in security it will be the all-in-one solutions that win out.
This idea is credible enough that organisations might want to re-consider their security strategy in the light of whether it is better to be protected by simpler integrated systems, rather than the best of everything. And as a result, you will be “satisficed”.
OK, the word is a bit ugly and is never going to be catchy enough to make a Rolling Stones hit. But taking this approach does mean that as a security professional, you might just avoid your 19th Nervous Breakdown by accepting You Can’t Always Get What You Want.