When It Comes to Security, Simplified Engineering Is Better

Information security remains somewhat of a mystery to most business leaders.

Information security remains somewhat of a mystery to most business leaders. (Photo: Nick Karvounis/Unsplash)

I grew up surrounded by art, and over the years, I’ve grown to appreciate the fact that beautiful paintings come in many different forms.

This is especially true when it comes to abstract art. At one end of the spectrum, you can find a Mark Rothko that features one or two well-organized squares of different colors, and at the other end, you can find a chaotic Jackson Pollock splatter painting that features a mess of every color of the rainbow. To me, both styles are beautiful; both styles are appealing.

Recently, while reflecting on the broad definition of “beauty” in art, I realized that similar principles can apply to the software products companies build and purchase and the way they go about keeping them secure.

Our current digital climate is one of excess; every product must do everything. Today’s users ask for more and more complex features, and companies continue to grant their wishes. Now, the biggest businesses in the world — such as Google — are relying on beautiful (yet highly complicated) artificial intelligence and machine learning just to keep their products running and secure.

The average modern company approaches product development as if it’s painting the next great Jackson Pollock masterpiece: a tangled, overlapping, excessive jumble of every possible ingredient. It’s a sign of the times — our impatient, bigger-is-better culture — but things don’t necessarily have to be this complicated.

Develop Like Rothko

Rothko’s simple art was just as impactful as Pollock’s complex works, and the same can be said for your company’s development methodologies. This is not a matter of “do more with less;” it’s a matter of identifying the overlaps and duplications within your processes, pipeline, tools, and systems. It’s getting lean, boosting your efficiency, saving tons of money, and releasing your product faster than ever before.

Inefficiency can plague several different aspects of the development process, but let’s focus on one of the most common areas it can be found: security.

Information security remains somewhat of a mystery to most business leaders. It’s viewed as a confusing and expensive — but necessary — box they need to check in order to comply with federal regulations and keep themselves and their users safe. Instead of taking a methodical approach, they instead throw the entire kitchen sink at the endeavor. They hire as many vendors and purchase as many products as their budgets allow them to, thus creating a complex, sprawling network of overlapping systems, processes, and tools.

Sure, this approach might result in checkbox-compliant security, but it’s costing businesses way too much money and bogging down their delivery times. One of my company’s clients found itself in this very boat. A hypervigilance toward security compliance resulted in an arduous 1.5-year product delivery cycle. However, once our client learned how to embrace lean security, its delivery cycle shrunk to half its size.

Begin Your Simplification

Simplified engineering requires leaders to conduct a deep analysis of their systems, vendors, and spending habits. Here are the three main steps of this undertaking:

1. Map and Assess Your Systems

Map out every single development product and system your company utilizes, and identify exactly what purpose each one of them serves. Who uses it, how are they using it, and what are they accomplishing? Once you create this map, you’ll likely discover that multiple departments across your company are using different systems to accomplish similar tasks.

This is exactly the type of sprawl that holds companies back from hitting their goals. Development and security must be approached holistically and collaboratively. Rather than every department getting the green light to purchase their own tools and products, representatives from across the company should work together to identify a select group of systems that suit everyone’s needs.

2. Prune Your Vendor List

One of the telltale signs of overly complex engineering is a vendor list that’s pages and pages long. Again, this is what happens when businesses take an every-department-for-itself approach to development. Multiple vendors get hired to fulfill overlapping roles, and money flies out the door as a result. For example, companies sometimes have five different antivirus vendors on the payroll when one would be more than sufficient.

Ask your finance department to compile a comprehensive list of every vendor your company is currently working with, detailing who hired them, how much they’re costing you, and why they were brought on. Dive deeply into this list, find all the overlaps, and prune it accordingly.

3. Evaluate Your Entire Cost Structure

Once overlapping vendors and systems are eliminated, leaders then should dig into the performance of their remaining ones to weigh whether they’re worthy of a continued investment. View it as a cost-versus-value proposition: Is the money you’re spending on this service resulting in a faster time to market, lower operational costs, reduced risk, or whatever other goals your company may have? If the answer is “no,” then it’s time to stop throwing good money at suboptimal outcomes.

When conducting this examination, don’t just look at the upfront price tag and licensing fees; look at the ongoing time and human capital commitment these tools and systems require. For example, if you’re paying top dollar for an HR information system that intends to streamline your hiring process, yet you still have 50 recruiters on your staff, you might be able to reach the same outcome with a less costly alternative. Your ongoing annual support costs should be just a small fraction of your initial purchasing fees.

A development methodology that follows the Mark Rothko model of simplicity requires a commitment from your entire company. Everyone must be aware of how a siloed approach creates overlapping systems that slow progress and waste resources.

Once everyone is on board, the fat is trimmed, and only the best processes, tools, and vendors remain, you end up with a manageable, concise network of systems that all fulfill — or perhaps exceed — your company’s big-picture goals.

What’s more beautiful than that?

Andrew Storms is the vice president of security services at New Context, a rapidly growing consulting company in the heart of downtown San Francisco that specializes in lean security and helping companies build better software. Andrew has been leading IT, security, and compliance teams for the past two decades. Previously, he was the senior director of DevOps for CloudPassage and the director of security operations for nCircle (acquired by Tripwire).

When It Comes to Security, Simplified Engineering Is Better