“Four years!” As soon as the words left my mouth, I regretted saying them. Not because they were wrong, rather the incredulousness in my voice was instantly met with furrowed brows and folded arms. Across the table was a potential customer, and thanks to my lack of decorum (which should surprise exactly nobody who has met me), this was likely never going to become a paying one.
This organization was in their fourth year of a compliance initiative. My incredulousness was an honest response to a seemingly ludicrous situation. How can an organization spend four years working on compliance?
The answer was what holds back compliance at almost every company.
“So, where are you at with this project?” I asked, with all the sincerity I could muster.
“Well,” the security manager answered, slowly, “we’re evaluating Cylance and Crowdstrike, and Sentinel One, but we already have Symantec. And the network team really hates the LogRhythm SIEM we have, so we have a POC going with Splunk, Sumo Logic, and…”
Ah, Next Shiny Object syndrome, the most pernicious of the advanced persistent threats. Next Shiny Object (NSO) is when an organization remains mired in the endless process of evaluating technologies, rather than actually making those technologies ever fulfill any of their needs.
NSO is the number one reason why compliance and security projects take so long and lead to poor results.
If NSO stalls projects, it is false diligence that causes NSO to happen in the first place. There is this belief among IT and security professionals the more technologies you evaluate, the more likely you will find the “right one” which will solve all your compliance and security headaches.
This manifests in eternal shoot outs, proof of concept, and evaluations of technologies. Giant technology shows stoke this process with splashy demos and wild promises of massive efficiency and security gains. Of course, these promises are as hollow as the demo booths. These products seldom deliver on their promises. And even when they do create improvements, there is an equal increase to administrative overhead that, of course, the vendor never bothers to mention.
NSO is “fake work.” It feels like work. It consumes time, effort, and resources, like work. Yet it does not advance the organization forward. NSO trades the feeling of diligence, for tangible accomplishment and forward momentum.
NSO does, however, satisfy vendors and VARs. These places absolutely adore NSO. Without it, they have no hope of getting a sale. Vendor sales people are master artisans at distracting teams into perpetually looking for something new. They will undermine existing technology, merely to get a POC on the customer’s agenda. They will push an endless stream of “analyst reports” to show how amazing their technology can be. And they will use their most powerful weapon, peer pressure. Nothing gets a weak CIO to a lunch n’ learn faster than name dropping some big important somebody who is using their technology.
Like almost every problem in IT and security, NSO is ultimately the expression of weak leadership. Weak leaders fall for the belief that they must have the best of the best of the best of the best of the best of the best (you can keep adding bests to that). And of course, if the globally dominant big boy company across the street is using the newest tech, well they must have it as well so they can be part of the big boy club. Weak leaders are easily manipulated through feelings of inadequacy. They sacrifice tangible accomplishments for feeling important and adequate. Vendors and VARs feast upon these feelings of inadequacy and stoke them.
However, another reason why NSO happens is because weak leaders simply do not know how to move forward. Compliance initiatives are big, complex projects, that involve a lot of tedious detail. Perpetually evaluating new technologies can ensure than they never have to make a decision that will be scrutinized or challenged. This feeds the whole “fake work” process where they can look and sound extremely busy, without actually accomplishing anything.
Nevertheless, it is not only weak leaders who do this. IT people are unindicted co-conspirators. As a technology person myself, I will fully admit it is much more enjoyable to fiddle around with a new technology than maintain an existing one. Again, vendors and VARs know this, which is why they lavish dinners and lunches on IT people to keep them entranced with the next shiny object.
Break the NSO Curse
If NSO is the result of weak leaders, who fall victim to false diligence and selfish interests, the cure for this affliction is to cut off these bad behaviors.
Here is my three step anti-NSO protocol:
Step 1: Boot the Vendors
You need to cut off the influence these outsiders have on your people. I am not suggesting being hostile or rude. Rather, prohibit your team from going to vendor lunches or demos. Make the process of vendor engagement more formal. Better yet, work with solution providers like managed security service providers who can abstract the whole vendor relationship entirely.
Keep vendors and VARs away from your team. They will constantly pressure them with stories of how your competitors are wildly successful with their technology. This is solely to get you feeling inadequate and wanting what others have.
Step Two: Ascend to the Cloud
Except for payment terminals or user access points, your compliance environment should be entirely managed in the cloud. To be blunt, there is no reason NOT to move into the cloud.
Once you commit to the cloud, you can automate the deployment, enforcement, and monitoring of security controls — dramatically accelerating the compliance effort. Moreover, the number of vendors who are cloud-savvy is much smaller, thereby limiting the vendors you must evaluate in the first place.
Step Three: Refocus Diligence
The technology you select is largely irrelevant to compliance. The differences between products are minor. It is far more important how those technologies are configured and managed. As such, just flip a coin and go with whatever technology is easiest to acquire (probably something you already have.)
Refocus all this diligence on monitoring, management, and operations. Focus on developing metrics and tools that promote agility and quick response to problems. Promote people who optimize existing practices with automation, rather than buying yet another new tool.
Nobody Cares About Your NGFW
Here is a sobering fact: every single company that has experienced a serious breach in the past ten years owned a NGFW (including the one you have). Most of them also had endpoint security, PCI compliance certificates, and a whole bunch of other endorsements for security.
And none of that mattered.
Your company’s ability to protect data or meet compliance requirements is not dependent on the technologies you own. Rather it is how those technologies are used, monitored, and managed on a daily basis. Spending a ton of money (and time) perpetually looking for the “best of breed” technologies will not solve your problems. You must put your efforts into the operations and optimization of those technologies.
And what happened to that potential customer? They remained mired in NSO until they finally got a new leader who trusted us to do it for them. In a few months we had the entire environment built, configured, and compliant. We could do that because we stopped evaluating products, and started implementing them. This was one of our early projects that convinced us to pursue Sherlock Compliance Automation.