Tuesday, October 15, 2013

What I meant to say was...

Well for good or ill I flew through my presentation at the Splunk conference lol. The upshot is I think it went ok. The downside is there are a few things I didn't say that I had planned to. Guess I'll take the opportunity now to cover a few....



Security as a business enabler
I've heard and read this from several InfoSec folks but I don't know that I believe it. Should be?; can be?; might be?; is? All variations of the question with different potential answers. I get it that the idea is services vetted through 'security' are more secure leading to less loss. The problem is based on staffing and backlog is the status quo more like "hey security people, I have a question about standing up some new service" only to be answered with "the answer is no, now what is your question?" I did read a good analogy once that security is an enabler as brakes enable cars to go fast. How? Brakes allow the cars to slow down safely. I think the bigger issue is the customer base at large isn't to the point where security isn't a differentiator. As a counter example take a look at the picture below.
How many people are going to buy this meat if there was a store next door that sold meat wrapped and chilled? In this case the extra expense is a business enabler. I'm not lobbying for more controls and audits and perhaps I'm underplaying the role those audits play in being authorized to DO business but at scale I just don't think people are baking security into their buying habits.

Now -  I don't want to sound like a fanboi but Splunk is one of few tools where you really CAN offer value to the business and use those logs in a security context. Bring logs in and you potentially have the right, or most of the right, logs to satisfy both needs.

Program funding models
I heard an analogy talking to different approaches to funding models that I thought was great. Had meant to bring this up. You are at college with a car and someone wants to ride home for the holidays as you pass close to their house. The standard payment model is for them to pay for gas. The alternate is to say "well I bought the car 2 years ago for 8k, given deprecation and the fact that there are two of us why don't you pay about half of what the car is worth so why don't you pay me 3k." As absurd as that sounds how many are trying to recoup sunk costs into an model that is elastic enough to account for all the new groups that will want to onboard to Splunk once you've stood it up? I get it that there are all kinds of ways and constraints people have to deal with - but still I think the analogy has its place.

Getting funding
So I think I hit most of what I wanted to say but not sure I articulated it as well as I would have liked. I'll blame the medium of PowerPoint since I don't normally have slides with so much text (wanted to make them easier to be understood if folks look at them after the conference) and I hate reading slides. At any rate I'm a fan of how Jack Jones defines the value add for the InfoSec program - reduce the magnitude and frequency of data loss. One of the points I was trying to make was when you are making an argument for funding don't talk about the tools you want to buy as much was what issues you are trying to solve/fix/remediate. If FUD is one end of the spectrum and you salivating over simply saying FOTM product X is the other my guess is your audience is tired of the first and couldn't care less about the second.

Apps for individual groups
One thing we did for just about each group of data owners is create an app in Splunk just for them. The idea is they use that as their default vs the standard Search app. The main reason is with hundreds of users I didn't want the various menus to be congested with everyone's stuff in it. It also gives that group a sense of ownership in that they have an area just for them. Has worked well.

Mark


No comments:

Post a Comment