Golf vs. Security – Finding your IT Security Swing
As a keen golfer I find that the issues I’m facing, in both my golfing game and golf in general, are becoming more and more similar to those in this industry.
The old saying, ‘if you are putting badly, buy yourself a new putter’ is a good one… this is the classic ‘let’s buy a new security tool without really knowing what the problem is’ scenario. I am spending a lot of my time sitting in front of organisations who have been scared by the most recent breach or compliance regulation. GDPR created a widespread marketing ploy of ‘know your data’, which has resulted in a lot of security budgets being spent on DLP and SIEM tools before companies have developed a data strategy. This usually ends up in said company not getting the ROI from the tools they were expecting, and having a lot of problems during implementation, meaning that what they thought was going to be a month long project quickly turns into 6-12 months of pain. Not to mention a lot of money and a poorly implemented tool that is giving 100’s of false positives every day, therefore giving them no useful information.
The next commercial problem you find in golf is that when you buy yourself a brand-new driver for £300 it’s the best on the market, but 9 months later the next two generations of driver have come out and you’re now using a £50 driver that is seen as ‘old tech’. You also have 50 other driver vendors doing the same, making picking the right club at the right time a nightmare! IT security sees the same problem, as there are always several ways to confront a vulnerability and 20 vendors who have an offering in that space who are always evolving their product to keep up with the latest zero-day threat.
The problem may not be your driver, it may be one of the fundamentals of your game, so you end up with another 6-12 months of that hook off the tee and no money to spend on the golf lessons you really needed.
Fighting The Wrong Battle
Any golfer will understand me when I say, “I don’t know what I am doing wrong”. Golf can be a very frustrating game where it feels that you are playing more yet getting worse.
I also see this in the IT industry a lot; “we followed X compliance and implemented Y last year, but we are still getting hacked and I don’t know how or where from!” Most security vulnerabilities nowadays are caused by lack of integration of technologies or systems and lack of education of the end user. A lot of organisations think that simply spending more and more money on protecting the endpoint, network and overall edge of their infrastructure is the way to ensure they are secure. However nowadays, there are many other vectors of attack you must consider.
The 3 Foot Putt
In golf you can hit a 300-yard drive straight down the middle, but on the same hole you can miss a 3 foot putt and the shot costs you exactly the same on the scorecard at the end of the day. In IT security you can be subject to an intelligent nation state attack on your servers, or ‘Bob’ could simply send company data from his work to his personal email, the result for both being similar in terms of the data exfiltrated. The first example will take a very intelligent and expensive tool. The second could have been solved simply by an IT consultant making Bob aware of the problem (which incurs no cost). Both need to be taken into consideration to fully protect your business.
The answer to all of the above is not to tackle it on your own…
In golf, everyone must learn in their own way and you must make sure you utilise expertise from a lot of different places in order to find your swing. No one knows all the answers (except for maybe Butch Harman…) but there will be a lot of people out there with a lot of experiences that you don’t have in the golfing world, which you can learn from. A lot of the time the answer isn’t a new bit of kit, but instead re-adjusting something to create a better output (slower swing, head down, pre-shot routine).
IT security is the same, no one has the silver bullet. Everyone just has experience they have derived from their time in the industry. I work at Armadillo Managed Services, where we have over 20 years’ experience helping organisations with IT security projects every day. We will do the leg work for you, looking at as many available options as possible and from them, building the best solution for you. We don’t claim to be better than everyone else, but we have listened to hundreds of companies’ key concerns and security problems, and from this experience we know which solutions work and don’t work. At the same time, if we feel we can’t offer you the most effective solution for your company then we will say so, rather than organising a sub-par offering.
The key thing to make sure by the end of the project is that you feel secure. This can only truly happen if you have done your due diligence, you have explored every avenue available to you and you have made an educated decision. That’s where we can help. Get it touch today by clicking here.
Written by: Nick Trott, Client Manager at Armadillo.