More Than a Hammer: Expanding the Information Security Toolbox

Security programs over-focus on networks and systems because infrastructure is most practitioners' background. The toolbox needs domain expertise in business functions, data analytics for measuring effectiveness, application security skills, practical user guidance, usable tools, and a "yes" mentality that enables business.

When the only tool you have is a hammer, it’s tempting to treat everything as if it were a nail, wrote Abraham Maslow a few decades ago. Given this observation, it’s not surprising that most of today’s information security efforts seem to focus on networks and systems. Gunnar Peterson observed that this is because infrastructure is the “background and hobby interest of the majority of technical people in the industry.” In addition to the infrastructure security “hammer,” our toolbox needs to incorporate the following elements:

Domain expertise related to the industries and business functions supported by information security efforts. Security cannot function as a standalone discipline.

Merely having technical security expertise isn’t enough.

Data and analytics for determining which security and risk management approaches actually work. E.g., Malware defense metrics.
Application security skills to develop software with fewer vulnerabilities and to mitigate the risks associated with the flaws that find their way into applications. E.g., Building a Web Application Security Program by Securosis.
Practical security guidance to individuals who interact with sensitive data. For instance, we need security awareness training that doesn’t put people to sleep. For some ideas, check out SANS’ Securing the Human blog.
Security tools that work according to users’ expectations and that are tied to the ecosystem of people and processes that rely on them. Security Scoreboard might be a piece of this puzzle.
A “yes” mentality that positions infosec as an enabler of business processes ins a risky world. Too many security practitioners seem to strive for absolute security. E.g., security pros might be too cautions of cloud computing.

These ideas are congruent with the concerns I expressed when outlining theworrisome state of the information security industry. However, that note pointed out problems without saying much about solutions. Looking at ways of expanding the security toolbox might be a more constructive way of tackling the issues.

Update 1: For more thoughts on this topic, read Gunnar Peterson’s post He Who is Not Busy Being Born is Busy Dying, as well as Christofer Hoff’s response.

Update 2: In a follow-up post I offered my tips for how to Down the Walls Between Application and Infrastructure Security.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →