From small organizations with duct tape and bubble gum defenses to larger enterprises armed with fortress-like custom solutions, improved security posture comes from both ends of the organizational spectrum but ultimately lies somewhere in between. Let’s look at each and how the industry has matured to the point where both types of companies can benefit.
When I think of smaller organizations, I think of a place to innovate and be creative. The staff and budget are limited, and they cut back even more during slower years. So, instead of buying a new server for an on-prem Intrusion Detection System (IDS), you’ll see them use an old user computer repurposed for this. Often, things feel like they are being held together until funds become available or the temporary solution becomes THE solution, but they push forward with what they have and make it work.
What about large organizations? Large organizations with the money and people often want more than just a setup, and they want a product that is the best. They have a surplus of resources and will use them to ensure the product is customized to their needs. So, they spend days, weeks, or even months scoping or customizing a product. They often spend more time talking about something than actually doing it.
Both have pros and cons. One gets something set up quickly with whatever they have but doesn’t necessarily meet every need, and the other plans every aspect before deploying to ensure success, but it takes a long time to get there. The security field has matured significantly over the last decade. What I mean by this is that there has been a lot of development to make things accessible to everyone and better for everyone.
For example, tabletop exercises. I remember the first one I did for my small organization at my first security job about 10 years ago. I made a “pick your own adventure” type of thing where I gave the team a couple of choices, and they could pick their destiny. I did this because there was nothing out there to help facilitate this. I had to make it from scratch. It was pretty cool, and I loved it, but the time and effort I put into it was massive. After I was done, I would be ok without doing another one for months. Larger organizations might like my idea of a very involved “pick your own adventure” tabletop but might want it more elaborate with custom logs and even real data. I could see them willing to dedicate time and funds to this project.
If I were asked to suggest a tabletop exercise to a large or small organization, I would suggest using Backdoor and Breaches. Backdoor and Breaches is a card game that facilitates a tabletop exercise with hundreds of cards to generate a random scenario and work through it with a team. Simply pick a card for Initial compromise, pivot, c2, and persistence, and you’re up and going. A card game like this makes doing tabletop exercises accessible. You can roll it out quickly, but it is customizable for large or small organizations.
This leads me to a second point: the benefits of just using something off the shelf and starting the process. One of the best ways to improve is by reflecting on how things went and learning from it. You’ll see this practice done for chess, where players will replay the game from scratch and talk about their thought process on each move with other chess players, or in sports, where a team will replay the game tape to see where critical mistakes were made. For me, this is the most important aspect of improvement. I feel like that’s where companies can get hung up on. They might want it to be perfect and elaborate, but just starting it and trying to improve it as you go is probably the best route. For example, with tabletop exercises, how much feedback could you get from doing 6 tabletop exercises in 6 months versus doing one tabletop in 6 months? I feel doing 6 tabletops in 6 months and a retrospective on them will outweigh making one perfect one.
In a landscape where both small and large organizations grapple with security hurdles, it becomes evident that the key to improvement lies in actually doing the activity and getting something out there, even if it’s not 100% perfect. The allure of crafting custom solutions may be tempting for larger entities, yet the lesson from smaller organizations teaches us the value of simplicity and resource optimization. Embracing available things and cost-effective tools and fostering a culture of continuous improvement through activities can pave the way for a better security posture.