Beware the pitfalls of haphazardly deploying data security solutions to your environment. Data security can be very complex and proper planning is a necessity. Unfortunately, many organizations choose to avoid complex planning and take the easy road down what appears a much simpler path. The origin of these problems rests with the vendors, consultants, and even customers driving to ‘just start small’ with one capability then build up from there. They want to act tactically with the hope to eventually build it into a strategy.
I empathize with their position. Risks to data are rapidly increasing. Coupled with the fact no all-encompassing solution currently exists, it sounds practical to tackle the challenges in a piecemeal manner, especially as other options are limited. Protection is needed. Customers want whatever is available and vendors are happy to sell whatever solutions they have at hand. Any traction is good, right?
I urge caution. This tactical approach is only good when a comprehensive solution exists and it is rolled-out piece by piece. Managed properly, program teams would land the infrastructure, support and management components then bring in each feature set, tuning all the while, and build up the optimal service stack in a controlled, effective, and cost efficient manner. Once integration is complete then operations teams continue to support and manage the service, including updates which add extensibility, bug fixes, and aid future vendor development of improvements. The enterprise can reap the security benefits of a well-oiled machine and reallocate project team focus to other areas needing attention.
The reality is, although some great point solutions are available, a comprehensive data security solution simply does not currently exist. The tactical to strategic approach is a path which leads to a revolving door of bolt-on solutions with incompatible tools, vendors, metrics, administration suites, technical requirements, and separate sustainability problems. Overall system complexity will crush in on itself as issues multiply. Service gaps and conflicts arise, customers will be continually impacted then asked for more time and patience for the implementations. In many cases employees vital to the business are asked to work differently to help make the security solutions more viable. This is the sure sign of defeat. Security services should be aligned to how employees efficiently get their work done and make it secure, not the reverse. The tail of security should not wag how the enterprise achieves productivity.
Even after the integrations hurdles are passed, even rougher seas are ahead. Separate sustainability cycles will draw heavily on resources and more focus is wasted on getting everything to work, and choosing which problems won’t get fixed. Keeping the rioting of users to a minimum becomes necessary and shortly thereafter restoring user confidence and project reputation must be tackled. Eventually, these distractions consume more effort than what is dedicated to provide a quality security service which prevents and minimizes loss.
I have seen this song and dance many times before across the industry. Ultimately that path proves to be terribly inefficient, expensive, and delivers poor security while destroying the credibility of the information security organization. The mass of tools becomes a beast which cannot be sustained, supported, and will begin to severely impact user experience and their crucial ability to generate profits. To compensate, features and support are cut back and in doing so the security capability is undermined. The result is an expensive and unwieldy system in place with little security benefit. Such sinkholes are difficult to escape once on the spiral path down. Take pause. It is best to avoid the problem and think strategically in the first place. Don’t get sucked into the void of despair. Have a well thought out plan. Clearly understand what you need when, and which set of solutions will best combine to meet your long term expectations. Think strategically and act tactically.