• United States




You’re too busy to get your security right

Mar 20, 20187 mins
Data and Information SecurityIT LeadershipIT Skills

The idea of having a few people who can do a little bit of everything isn’t really working anymore. We’re all too busy to be effective.

abstract image of business silhouettes in blurred motion
Credit: Thinkstock

Every now and then the topic of being a security generalist comes up in a conversation. Almost every organization has a person who deals with a wide variety of security matters. Security isn’t just one thing, it’s a term that describes a very large number of activities and spheres of knowledge. I consider myself a security generalist to a degree, I suspect many people reading this are also one. Rather than being very good at one topic, like cryptography for example, many of us have dealt with a large number of topics over the years.

I do like being a generalist and all the freedom and challenges that come with it, but the winds that drive the industry are starting to shift. The idea of having a few people who can a little bit of everything isn’t really working for most organizations. We’re all too busy to be effective much of the time.

Contrary to all the news we read security is indeed starting to get better but not in the way many of us think or expect it to get better. There are still a large number of network breaches and data theft, but it’s not all that bad if you really look at what’s happening. The vast majority of incidents you hear about are the result of overworked and underfunded security teams at an organization. It’s always a complex system that wasn’t properly architected. The places security is getting better revolves around the things that have been commoditized.

The current trend of commoditizing IT is leading the way to better security. If you look at the ability to outsource something like authentication, you now have authentication experts handling your authentication security. Security might not be the driving force behind a lot of this outsourcing, but security does get to hitch a ride. Your overworked security team isn’t going to understand the latest and newest threats against authentication systems, but this is quite literally the job of authentication as a service provider.

This is a natural evolution of most industries if you think about it. Are you going to use a service that has terrible security practices? Certainly not. The security measures in place will be an important part of making decisions around which services to rely on to run your business. Of course, how we decide which services have good security practices is another topic for discussion. It’s not simple to decide if a service is actually secure, we will discuss that topic another day.

I do know a few security folks who believe keeping important security functions in house is the only way to ensure everything stay secure. The thinking is something like this: If I don’t have control of all my data and all my servers I can’t possibly be certain that everything is OK. I don’t want to trust an external third party because they could be doing things in ways I don’t approve of and I would consider to be insecure.

I once thought this way, but I’ve softened my thinking rather drastically in recent months. It does get exhausting having to keep track of who is doing things wrong. More importantly though, this line of thinking clearly doesn’t work and probably has a net negative outcome if you look at the big picture. A big part of what changed my mind was just looking at all the news happening around us. The vast majority of data leaks are the result of trying to self-host services and data.

The new normal

The argument I always hear is “but do you trust with your data?” The better question is probably why are you somehow more trustworthy or better than the vendor in question? Are you an expert in authentication? Or logging? Do you have the knowledge needed to spot a threat actor in a mountain of access requests? You might be, but you might not be. Believing you’re an expert in everything can create a false sense of security.

The better question to be asking is: are you spending the proper amount of time on any of your projects? The answer for all of us is “probably not.” We all have more work to do than time to do it. Even in the best of circumstances getting security right is a massive challenge. If we aren’t given enough time to do things there is a very low probability that we will get things right. Even the best of us make mistakes when under a time crunch.

As A Service, by definition, will do better than many local experts. Most of the on-site experts have a lot of things to do which means they don’t get to dedicate a proper amount of time to any one problem or solution. When you are working with another organization to use their services they are generally going to be better at that task than you are as it’s the only thing they do. There is a certain advantage to being able to focus your attention on a small number of things.

Email dumps will be our example. Email dumps used to be a lot more common than they are today and, unsurprisingly, a rather big deal. For almost everyone their email contains a treasure trove of sensitive data. It makes sense that an attacker would try to gain access to email as one of the first steps in collecting important data.

How often do you hear about massive email dumps these days? I did some research and I couldn’t find any examples of large email dumps from the major email providers recently. All the large and scary email dumps have been the result of people running their own email servers. There are of course a few exceptions to this rule that seem to revolve around personal email accounts, but in general it holds true.

Today it is more dangerous to run your own email server than it is to use a service. This is not an idea that’s popular in some circles, but the data backs up this statement. If you look at any of the recent large email leaks they’ve all been due to mistakes made with self-managed email servers. Properly managing an email infrastructure is nothing like it used to be. The days of having an POP3 server behind a firewall are long gone. Everyone wants access to email from everywhere and on all devices. The attack surface is several magnitudes larger today than it was ten years ago.

The experts are, well, experts when it comes to email.

This is a new way of thinking for many of us. It’s hard to give up control especially when we view control and security as very similar things. For many of us security is becoming less about securing actual systems as it is about ensuring the services we are working with take appropriate precautions. The new world is tasks like ensuring our data is being properly protected and creating policies that we are comfortable with when interacting with customers and employees.

As most of IT is turning into a commodity and security is hitching a ride. We aren’t going to fix security in the traditional sense, but we are seeing progress when we view it as a feature of the services we rely upon.


Josh Bressers is the head of Product Security at Elastic. Josh has been involved in the security of products and projects, especially open source, for a very long time. Josh has helped build and manage security groups for many open source projects as well as a number of organizations. Everything from managing vulnerabilities, security development lifecycle, DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella.

Josh co-hosts the Open Source Security Podcast. Josh is also an active member of the Distributed Weaknesses and Filing project which is in the process of leveraging the power of open source for CVEs.

The opinions expressed in this blog are those of Josh Bressers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.