In information security, perfection is the enemy of progress, says Lenny Zeltser, VP of Product at Axonius. But it’s one thing to know about this maxim, and another to internalize its wisdom through trial and error.
“I remember striving to build the ultimate application security architecture, the strictest firewall ruleset, the tightest system lockdown guide. These efforts ended up taking too long and costing too much,” he told Help Net Security.
Product managers often think in terms of building the minimum viable product (MVP): release a product that’s sufficient to satisfy some users’ requirements, so they can derive value from the product while offering feedback to improve the next release.
Zeltser uses this approach both at work and in his independent projects but, by his own admission, he still stumbles. He has, for example, been laboring on a new release of REMnux, the Linux distro he created for malware analysts, and the effort has been stretching for far too long.
“I probably could’ve finalized a less ambitious release months ago,” he noted. “As security professionals, we can often benefit from shorter, iterative releases of our projects, be they research paper drafts, policy documents, or security architecture designs. Waiting too long in a pursuit of perfection can rob us of the fast feedback that leads to better results.”
Feedback from (and collaboration with) prospects, customers, and partners is what helps him do his work and outline the roadmap for the company’s cybersecurity asset management platform.
It’s not always easy, he says – his biggest challenge as a product manager is attempting to predict the future.
“Where will the security industry be a year from now? Five years from now? How will the incumbent vendors react to disruptors like Axonius? What will be enterprises’ IT and security needs? As a product manager, I need to be humble enough to listen to my stakeholders, yet arrogant enough to believe that I can peak a little beyond the horizon,” he added.
There’s room for improvement
His primary job also benefits greatly from his regular forays into teaching: Zeltser is a very well known author and teacher of SANS security courses, which have the added bonus of motivating him to continue learning.
He needs specific projects and milestones to have an excuse for experimenting with new tools or researching emerging threats, and creating training materials for courses like Reverse-Engineering Malware and Cybersecurity Writing provided him with the context and goalposts for reaching outside of his comfort zone.
Zeltser is also eager to encourage security professionals to leave their mark in an industry that is, when compared to others, still young and immature – despite making great strides in the past five to ten years.
“Security professionals used to struggle with collaborating across organizations and now they share threat intelligence and other insights through data feeds, blog posts, private forums, and public events that strengthen everyone’s defensive posture,” he pointed out.
“Other advancements that come to my mind include the adoption of automation for processing large security data sets, the availability of SaaS and managed security products that are more effective than what many would build on their own, and the use of reasonably secure default settings in a growing number of applications.”
There’s certainly room for improvement, he added, especially with respect to security practices relevant to organizations without advanced expertise. However, it’s all generally moving in the right direction, and there is still plenty of opportunities for infosec practitioners to make a difference in this field.
Advice for companies
As Zeltser found over the years, some companies (both big and small) have highly mature information security programs, and some are just starting to think about cyber-defenses.
The good news is that, due to consumer expectations, business contracts and regulations, companies are increasingly aware of the need for information security and this contributes to the steady progress in firms’ security posture.
“On the other hand, companies are adopting interconnected cloud and SaaS applications that distribute data in ways that are hard to track. Moreover, the applications are increasingly built using fast-moving DevOps principles that many security practitioners cannot handle because they’re no longer in the position of a gatekeeper,” he noted.
Given his focus on cybersecurity asset management at Axonius, Zeltser has come to appreciate that organizations with strong security practices are succeeding because they’ve built a reliable foundation, such as the ability to know which systems exist, how they’re used, and what security measures must apply to them.
“Companies that are just starting to formalize their security program will do well by laying such groundwork before looking at more advanced (yet admittedly sexier) principles. That’s why my mindset at the moment is on helping organizations understand what IT assets they have, discover security coverage gaps, and enforce security policies,” he concluded.