A Principal Analyst with the ISF Tools and Methodologies Team, Alex has been with the ISF for over 8 years. He works across the Tools and Methodologies team. A member of the team for seven years, Alex works across the ISF Tools portfolio to ensure that deliverables provide maximum value to Members. He has previously led the ISF’s software development activities for the ISF Benchmark, was the lead author for the Standard of Good Practice for Information Security, as well as the ISF’s GDPR Implementation Guide.
“Simplifying security.” It’s a phrase often touted amongst the security industry, but what does it mean in practice? A quick Google search tells you that in order to simplify security, you need to consolidate down into less providers (including the one whose blog you’re reading), automate everything and consolidate your extensive logging programs into… a single, even more extensive logging program?
This simplification doesn’t really sound that simple, does it? Simplifying security doesn’t just come from using a few less tools, especially if these tools open up a thousand avenues that you’ve never even considered. What matters more is simplifying the approaches and products that we use every day. It doesn’t matter much if you’re using a few tools or hundreds – if those tools are too complex, don’t achieve their purpose, or are too difficult to use, then their impact will always be limited. Furthermore, in a world where everything is speeding up, where attention spans are limited to the length of a TikTok video or Instagram Reel, is a tool with hundreds of options that requires months of training the right approach for your business and/or your employees? Balancing rigour with accessibility is proving one of the most complex problems for solution providers, and something that every business will need to grapple with in the coming years.
Simplifying security starts with the basics, way before we get stuck into hugely complex tools offering all manner of services and integrations. Take a run at some of the basic security standards out there, all of which are designed to mitigate against the most common cyber threats. Put good security practices at the basis of everything you do, but don’t boil the ocean; a light touch is better than forcing people down a pathway that irritates them. Review the tools you do make use of. Do they meet your needs? Do they meet the needs of your end users? If something is too complicated, are there grounds for stepping back and using something more manageable? As a friend once put it: “Ferraris are great for track days, but if you’re going to the supermarket, you need somewhere to put your shopping.” Simplify your security by getting the basics right.