When Secure IT Systems decided to move away from the MSP space to focus solely on Information Security, it was to help try to fix a broken information security industry. One of the ways it’s broken is that there are many people and vendors participating in the money grab, trying to sell you potentially ineffective cyber security technology solutions. We call these blinky lights or better known as “The Blinky Lights Syndrome”: high-tech products or services that falsely claim they’ll fix everything for you automatically.
You’ve seen what I’m talking about. The one information security tool that will solve all your problems, or the “ultimate cybersecurity stack that every MSP needs”. The silver bullet, the magic cure, the “but wait—there’s more!” It’s shiny, fancy, and new, and it costs a pretty penny, so it must solve everything. Right?
Wrong.
Blinky lights are problematic. There are many reasons why, and we will go over some of the biggest ones.
Blinky Lights Don’t Address the Fundamentals
We constantly preach the value and importance of doing the fundamentals thoroughly and well. Deciding when to implement a higher-tech solution is no different.
When you think about your own information security program, is there any one tool that you use or have ever used that solves everything? Do any of your colleagues gush about how they were able to get rid of every other infosec activity once they signed up for Blinky Light #1534? Of course not.
Instead, you likely talk about things like implementing a new policy that was highly effective or doing phishing training that increased your employees’ awareness by 12%. Or maybe you talk about how proud you are that one of your colleagues told you he had implemented MFA on all his personal accounts, not just his work ones. (Just kidding—we know that is a fantasy.)
The point is, the fundamentals are imperative. You simply must do a good job on things like training, firewall configuration, VPN use, universal enforcement of password managers and MFA, access control, group policies, etc. Do these well, stay on top of them, and then consider if a blinky light solution may actually be a helpful addition to your information security program.
Where do those fundamentals begin
Well, i guess that is the million dollar question……
we believe it begins with a risk assessment. After all, you cannot protect what you dont know you have.
We are not talking about your standard IT/Network assessment, but a thorough, long term strategy assessing the 4 fundamental infosec controls (administrative, internal technical, external technical, and physical). You would be surprised how a risk assessment will guide you to the most effective cybersecurity solution.
Note: If you don’t know what the fundamentals are or how to implement them, we are more than happy to help. We don’t charge for time (we’re not lawyers, but we love to work with them!), so call us anytime.
“Lipstick on a Pig”
This just means you’re using this blinky light technology as an appealing coverup to hide the fact that you have some glaring weaknesses. If you find yourself pushing some solution that you believe will solve all of your problems, ask yourself: “Am I doing because it’s flashy, or because it will truly supplement the foundational pieces I’ve worked to build?”
For example, if you’re looking at an automated log monitoring solution, it may be truly helpful for your program. But do you know what usual logs look like so that you can discern what is unusual? Or are you hoping the tool will figure that out for you?
The unfortunate truth is that information security budgets are often much smaller than they should be. With limited funds to begin with, why waste them on something that won’t make the most impactful improvement possible for the money?
Those dollars should be spent giving yourself a solid foundation. Once that’s in place, then budget should be spent on supplementary tools you have determined you need based on your unique program. If that’s a blinky light, go for it. But, chances are, it’s not.
Blinky Lights Add Complexity
Complexity is the enemy of security. The more layers you have in your information security program, the harder it is to manage. And, not to be repetitive, it’s also more likely you’re not meeting those ever-important fundamentals. If you’re always focused on managing tools, you may be neglecting staying on top of the basics.
Especially when you throw one tech solution on top of another, you’re going to have a hard time keeping track of what everything does, is supposed to do, and even can do. If you struggle to stay on top of the tech stack, what do you think your users will do? With a half-dozen bells and whistles to log into and keep track of, your users may become fatigued. It is then unlikely they will use your tools effectively or understand their value.
When neither you, your tech team, nor your users effectively use the tools you’ve put in place, they lose value. All or most of the time and hard-won budget you spent implementing them is wasted. And, you have a harder time proving your department’s effectiveness and negotiating more budget next year.
Blinky Lights Offer a False Sense of Security
If you’re sold a solution that claims to solve every infosec problem you encounter, at minimum, you’ll hope that it works. At most, you’ll believe that it is actually doing all of the things it claimed it could. You’ll believe you’re far more secure than you are. You may let your guard down, especially about things that you normally would remain diligent about.
If you rely on one single product or solution to warn you about vulnerabilities or tell you definitively that you have encountered a compromise, you are in for a nasty surprise. A successful and mature information security program relies on many different factors to keep it safe. It requires some manual checks to detect compromises. Even logging and alerting systems (which we recommend you use, for the record) are not effective if you do not know which components of your environment need to be monitored and how to interpret the log results.
Note: we are firm believers in the “it’s not if, but when” sentiment echoed by most infosec professionals regarding compromises. So, we hope you are never under the impression that you cannot be compromised, regardless of why you feel that way.
A Final Note
Information Security is not about information or security, as much as it is about people.
In the infosec world, I find there are 2 types of bad guys
- Overt – bad people who don’t try to hide their motivation. Ones who overtly take advantage of people.
- Covert – ones who take advantage of others, posing as the good guys. They sell you “blinky lights” that you don’t need, that you don’t know how to use or does not work
I call them wolves in sheep’s clothing
So, some things about Wolves –
- Some of them know they are wolves, and they feed off your ignorance, fear, and confusion.
- Some of them don’t know they are wolves, and believe they are actually helping people
- Some of them never really thought about it.
What we do to keep us honest? we need to ask ourselves honestly “Is what I am about to do going to help fix the broken industry or make it worse.”
While there are many reasons to avoid unnecessary technology solutions just for the sake of having them, we do realize there is a time and place for many of the automated solutions we have just discussed reasons to avoid.
Also, be sure to ask yourself if you’re avoiding doing something else that’s not adding the intended value or is adding unnecessary complexity. Finally, no technology should ever be enough to make you feel like you can’t be compromised. There may be a time and place to implement automatic solutions, but you must first address the fundamentals and assess your level of risk.
Need help getting those basics buttoned up? We’re here to help.
* * * * * *
Author: Lyle Melnychuk
I am a 20 year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people with technology and making the world a safer place.