Our founder, Evan Francen, started FRSecure with the mission to fix this broken information security industry. One of the ways it’s broken is that there are many people participating in the money grab, trying to sell you potentially ineffective cyber security technology solutions. Evan calls these blinky lights: high-tech products or services that falsely claim they’ll fix everything for you automatically.
You’ve seen what I’m talking about. The one information security tool that will solve all your problems. The silver bullet, the magic cure, the “but wait—there’s more!” It’s shiny, fancy, and new, and it costs a pretty penny, so it must solve everything. Right?
Wrong.
Blinky lights are problematic. There are many reasons why, and we will go over some of the biggest ones.
Blinky Lights Don’t Address the Fundamentals
We constantly preach the value and importance of doing the fundamentals thoroughly and well. Deciding when to implement a higher-tech solution is no different.
When you think about your own information security program, is there any one tool that you use or have ever used that solves everything? Do any of your colleagues gush about how they were able to get rid of every other infosec activity once they signed up for Blinky Light #1534? Of course not.
Instead, you likely talk about things like implementing a new policy that was highly effective or doing phishing training that increased your employees’ awareness by 12%. Or maybe you talk about how proud you are that one of your colleagues told you he had implemented MFA on all his personal accounts, not just his work ones. (Just kidding—we know that is a fantasy.)
The point is, the fundamentals are imperative. You simply must do a good job on things like training, firewall configuration, VPN use, universal enforcement of password managers and MFA, access control, group policies, etc. Do these well, stay on top of them, and then consider if a blinky light solution may actually be a helpful addition to your information security program.
Note: If you don’t know what the fundamentals are or how to implement them, we are more than happy to help. We don’t charge for time (we’re not lawyers, but we love to work with them!), so call us anytime.
“Lipstick on a Pig”
If you’ve read Evan’s book, UNSECURITY, you are already familiar with this term. If not, it just means you’re using this blinky light technology as an appealing coverup to hide the fact that you have some glaring weaknesses. If you find yourself pushing some solution that you believe will solve all of your problems, ask yourself: “Am I doing because it’s flashy, or because it will truly supplement the foundational pieces I’ve worked to build?”
For example, if you’re looking at an automated log monitoring solution, it may be truly helpful for your program. But do you know what usual logs look like so that you can discern what is unusual? Or are you hoping the tool will figure that out for you?
The unfortunate truth is that information security budgets are often much smaller than they should be. With limited funds to begin with, why waste them on something that won’t make the most impactful improvement possible for the money?
Those dollars should be spent giving yourself a solid foundation. Once that’s in place, then budget should be spent on supplementary tools you have determined you need based on your unique program. If that’s a blinky light, go for it. But, chances are, it’s not.
Blinky Lights Add Complexity
Another thing Evan often says is complexity is the enemy of security. The more layers you have in your information security program, the harder it is to manage. And, not to be repetitive, it’s also more likely you’re not meeting those ever-important fundamentals. If you’re always focused on managing tools, you may be neglecting staying on top of the basics.
Especially when you throw one tech solution on top of another, you’re going to have a hard time keeping track of what everything does, is supposed to do, and even can do. If you struggle to stay on top of the tech stack, what do you think your users will do? With a half-dozen bells and whistles to log into and keep track of, your users may become fatigued. It is then unlikely they will use your tools effectively or understand their value.
When neither you, your tech team, nor your users effectively use the tools you’ve put in place, they lose value. All or most of the time and hard-won budget you spent implementing them is wasted. And, you have a harder time proving your department’s effectiveness and negotiating more budget next year.
Blinky Lights Offer a False Sense of Security
If you’re sold a solution that claims to solve every infosec problem you encounter, at minimum, you’ll hope that it works. At most, you’ll believe that it is actually doing all of the things it claimed it could. You’ll believe you’re far more secure than you are. You may let your guard down, especially about things that you normally would remain diligent about.
If you rely on one single product or solution to warn you about vulnerabilities or tell you definitively that you have encountered a compromise, you are in for a nasty surprise. A successful and mature information security program relies on many different factors to keep it safe. It requires some manual checks to detect compromises. Even logging and alerting systems (which we recommend you use, for the record) are not effective if you do not know which components of your environment need to be monitored and how to interpret the log results.
Note: we are firm believers in the “it’s not if, but when” sentiment echoed by most infosec professionals regarding compromises. So, we hope you are never under the impression that you cannot be compromised, regardless of why you feel that way.
A Final Note
While there are many reasons to avoid unnecessary technology solutions just for the sake of having them, we do realize there is a time and place for many of the automated solutions we have just discussed reasons to avoid.
Also, be sure to ask yourself if you’re avoiding doing something else that’s not adding the intended value or is adding unnecessary complexity. Finally, no technology should ever be enough to make you feel like you can’t be compromised. There may be a time and place to implement automatic solutions, but you must first address the fundamentals.
Need help getting those basics buttoned up? We’re here to help.