Expense In Depth And The Trouble With The Tribbles

You remember the tribbles don’t you? The cute, harmless looking alien species from the second season of the original Star Trek that turn out to be anything but benign. They are born pregnant and reproduce at an alarming rate. The tribbles threaten the ship, but fortunately Chief Engineer Montgomery Scott is able to transport all of the furry creatures to a departing Klingon ship.  The tribbles remind me of technology investments:

• You start out small, but before you realize it the technology is everywhere and you are overwhelmed.  It ends up in places you never intended. 
• Like the relaxing purr of the tribbles, the flashing lights of racks and stacks of gear gives us warm comfort at night 
• Tribbles consume everything, just like the operational requirements of much of our technology investment: resources, budget, and productivity are all devoured.

What has led us to this tribble investment strategy? Defense in depth, the multilayered approach to defense.  Many vendors use the defense in depth concept to justify whatever product they are selling. “You really need this, it is part of your defense in depth strategy.”  “This isn’t designed to replace, but complement your existing security controls.”  I call this Expense in Depth, the multilayered approach to ensuring minimal return on investment.  In most cases we are getting diminishing returns on this additional investment.  I recently had a conversation with a CISO who told me, “I am sick of spending money on the latest flavor of the day security solution.  I am done.” I agree, we should go on a technology investment detox.

Before we start investing in the latest and greatest technology to solve problem X, we MUST maximize our existing investments.  What type of return are you getting on your existing investments?  If you have a history of failed implementations what makes you think it will change this time around?  Could funds be better spent on improving the people, process, and oversight associated with whatever problem you were originally trying to solve? In many cases there is an existing solution that can address many aspects of whatever problem we are facing.  It may not be the 100% solution, but do we always need 100%?  

Let’s use network based advanced malware detection as an example. When I was a solutions engineer, I sold a number of these solutions and when we did proof of concepts with customers we found malicious activity that the existing security controls missed.   That was several years ago, and what we are now seeing is the commoditization of this space.  The other security players are catching up and are now offering these capabilities.  So do I invest in a point solution that isn’t integrated into my existing portfolio, or can I go another route and leverage my existing portfolio and not increase the complexity of my environment?  Defense in depth tells us to invest in point products, while expense in depth should give us pause. 

Like an addict, we have to stop our traditional approach to investment.  I am a geek (obvious from the Star Trek analogy), I love the latest and greatest technology, but we have to step back and not fall for the cute and cuddly tribble. If you have a tribble investment strategy, you are doing it wrong. We must become more strategic in where we allocate our limited budget.  Our focus should be on our staff and our data.  My next blog post will address this area.