By Elliot Lewis.
WHAT IS IMMINENT OBSOLESCENCE?
If you are running a business in today’s world of almost constant technology change—your security mitigations will eventually become more ineffectual for you over time unless you are watching for Imminent Obsolescence.
Technology is constantly evolving—and security tools need to constantly evolve with it. When vendors engineer their solutions—those solutions are being created with the use cases that define the security threats of that point in time when the solution architects conceive of the solution. Then development needs to happen, testing needs to take place, pilots need to be done…in other words, from the time of conception through the time of development the use cases are already potentially dated for the current threat environment—if not possibly completely stale!
This does not mean that any kind of engineering development is “doomed from the start”—far from it! The best engineering teams and solution architects take these timelines into account and work with them. I know of many solution teams and vendors that do an excellent job of thinking ahead and making sure that their current solution has a solid core of functionality and it is extensible and can be adaptable over time as the technology market evolves.
Every security mitigation—when deployed by the purchaser under their current conditions, use cases and frameworks—will only have a limited time of viability as the purchaser’s technology usage evolves around these security tools over time.
WHAT CAUSES IT?
First and foremost, most of the time imminent obsolesce is not usually caused by the security mitigation tools themselves—it’s caused by the environment changing around them—and thus making the mitigation obsolete within that environment over time. After all, if you deploy a solution that is perfectly suited for an environment, and that environment is going to remain completely static over time, that mitigation will maintain a relatively stable level of functionality. (I say “relatively” because every solution will require software updates, fixes, upgrades, etc., over time. After all, no software is perfect nor remains so over time…)
Businesses grow, technology evolves, and businesses need to adopt new technology to compete, to thrive, to grow, to maneuver, to acquire and consolidate with other companies. Business environments, and the technology driving them and operating them, will change as the business ecosystem changes—sometimes slowly—sometimes very rapidly!
WHY DO COMPANIES NEED TO CARE?
Security is never a static deployment. To be effective both currently and over time, security strategies, architectures, deployments operations must adhere to three basic principles: they need to be NIMBLE, FLEXIBLE and ELASTIC. (I’ll be doing a full article on these three core security principles coming soon—stay tuned!)
Any good security strategy will include the need to watch and monitor for Imminent Obsolescence—because the last thing a company wants to do is find that their mitigations have gone obsolete “the hard way”—BY COMPROMISE rather than proactive planning…and even more so, to find out that THEY were the ones that made the obsolescence happen just by growing or modifying their business operations!
WHAT CAN BE DONE ABOUT IT…
There is no doubt that it is hard enough to manage and monitor the security environment of a business in the regular course of a given day. Just using your security mitigation deployment “as designed” is often a daunting task. How can we therefore monitor for the moment in time that it is not working efficiently—or even more so—when it will stop working efficiently due to planned changes in the business in the future? This is where the techniques of Mitigation Effectiveness Modeling come into play…and I’ll be going into depth on these concepts in my next posting!
Elliot Lewis is Chief Executive Officer at Keyavi Data Corp. He brings over 27 years of executive management experience and industry leadership in cybersecurity. He has held roles as principal at Cyber-Security consulting research; Chief Security Architect at Dell; Director of Strategic Services, Security, and Identity at Cisco Systems; Chief Information Security Officer (CISO) of Merrill Lynch, and former Senior Security Architect, Security Center of Excellence for Microsoft. Elliot studied computer science at Northeastern University. Follow him on Twitter and LinkedIn.