What is Shiny Object Syndrome and What Does It Have to Do with Information Security?
There are many descriptions for S.O.S. out there, but the following may be the most concise I’ve seen:
“Shiny Object Syndrome (Objectivius Shinium Syndromus) is defined as the attraction to objects that exhibit a glassy, polished, gleaming or otherwise shiny appearance.”
Another way to look at it is through the example of a dog in a park running from squirrel to butterfly to another squirrel to a blowing leaf; all the while ignoring its owner’s pleas to behave. So how does this relate to information security? In this context, S.O.S. can be characterized as the rapid, unchecked growth of “new” security tools that end up cluttering security programs and ultimately limiting their effectiveness.
A couple of forces are at work and enabling this to happen: the increased awareness and focus by boards of directors and c-suites on cyber security; and the increasing difficulty for teams to improve their security program which requires an increase (or even just maintenance) of their budgets when the results of their current programs have not resulted in any bad news for their organization.
As boards and executives are held more accountable for data breaches and other similar incidents, they are trying to keep up with trends in the information security market. They garner information from colleagues at other organizations as well as from direct marketing by security vendors. Given that many don’t have much experience in information security or even have a solid grasp of their organization’s current program for countering cyber threats, they are easily attracted by the bold marketing claims of next-gen security tools, as well as influenced by their peers’ purchase decisions. This often results in asking information security teams to purchase specific tools without proper consideration for how they will impact the existing program.
At the other end, these teams are trying their best to keep up with the changing threat landscape and do all they can to protect their organizations, often while battling to justify what they already have in place. It’s difficult enough to justify spending based on the typical ROI conversation, and it’s too often thought of as a cost center without any tangible financial benefit. Some of this can be chalked up to the fact that many security professionals currently lack the ability to translate their department’s activities into a language executives can understand. This is compounded by a “paying for silence” issue. To the business leaders, if there haven’t been any reported data breaches, malware outbreaks and similar incidents in the past year, they believe their security program is fine as it is, so they choose to not allocate any additional funding, and in some cases, may actually ask for cuts in spending. As a result, security teams push the purchase of “new” antimalware, intrusion detection systems, and other solutions over shoring up what they already have because they find it easier to get approval.
This becomes a vicious cycle that gets more difficult to break over time. Warning signs of S.O.S. include: challenges parsing and correlating large amounts of disparate data from all the tools; strain on in-house resources to implement and manage the tools; and an increased risk of compromise by threat actors.
Given all of this, what is the prognosis for organizations that are suffering from S.O.S.? Over time, these tools add up. Either poorly leveraged or completely abandoned, they can limit the effectiveness of a security program and ultimately lead to a decline in the security posture of organizations.
Advice for combating S.O.S.?
We need to go back to basics and embrace foundational security practices. Far too many organizations have not done the work to ensure that their programs are built on a solid foundation – the basic blocking and tackling of information security. Without this, they can easily become over burdened by too many tools and become less effective than is assumed.
We can all agree that there are many foundational security practices, but I have chosen to focus on three as I believe that, if properly implemented, will provide the largest reduction of risk and make it harder for a threat actor to move laterally through your network. These include: network segmentation; access control and authentication; and encryption. That doesn’t mean that other foundational controls aren’t important – they are – just not as important as these three.
In the next blog in the series, I’ll break down these three practices and other cures for S.O.S. Stay tuned!