In a world of complexity, focus on the basics

Simplification and collaboration is the only hope

Tony Sager has not only witnessed the revolutionary change in cybersecurity over the past several decades he has lived it, through several decades with the National Security Agency (NSA).

The most significant, he says, is the transformation of cybersecurity from a government monopoly to a vast marketplace of threats, enemies, defensive tools and solutions that are far too complex for any one organisation or institution to manage. The only hope, he said, is simplification and collaboration.

Sager, a founding member and chief technologist at the Council on CyberSecurity and also director of the SANS Innovation Center, focused on explaining that change and its implications in his keynote address at the SANS Security Leadership Summit in Boston.

Among his key points:

The way we were: A government monopoly facing a single enemy.

"I'm a reformed monopolist," Sager said, noting that in the 1970s, early in his career at the NSA, "the business of cybersecurity was a government monopoly. Who controlled the context, who decided what constituted success, who decided what security was good enough, who paid the freight for most of the R&D? It was the government.

"If you wanted encryption of sensitive or classified information, you had to come to a monopoly the NSA. There was a kind of implicit notion that government would save us and solve the problem," he said.

There was also the perception that the nation faced a single enemy an existential threat from a single nation "that we didn't know much about, because it was a closed society."

The entire notion of connectivity was still in the future as well, so the notion was that cybersecurity was primarily a technology problem. "If we could build better technology, people could use that, our information would be safer, our operations would be more assured, and that would fix it," Sager said.

The way we are: Millions of connections, millions of enemies

None of those notions of the past, "match the world we live in today," Sager said. "We don't have centralized ownership of the problem. We're all connected, all using the same commodity IT, no one is breathlessly waiting for the government to tell us what is safe enough."

Meanwhile, "we're fighting all the time against an infinite number of bad guys," he said. "It's changed the flavor of the whole security business and how we think of leadership."

Security leaders even have a tough time convincing their CEOs that the latest technology from Google, Apple, Microsoft or other vendors needs some study before it's deployed.

"Your boss is absolutely sure you must have it right now," he said. So, for security leaders, the new challenge is, "What's the best we can do with what's coming out of the marketplace? What are the prudent steps we can take? It's no longer central control it's driven by consumers."

Don't drown in defenses

It's not that there is a lack of defensive tools. It is that there are too many. "Never before have we had so many at our disposal," Sager said, "yet the problem seems to be getting worse. We're drowning in stuff to help us there's tons of stuff, but so much of it, and so much in conflict, you don't know where to begin."

That confusion, or conflict, extends to the experts, Sager said, highlighting a saying that has become a cliché in the industry that information security experts agree with one another 90% of the time, but then waste 90% of their time arguing to the death about the other 10%.

Cut through "the fog of more" with collaboration, simplicity

Sager said the explosion of threats and defenses resulting from universal connectivity what he came to call "the fog of more," led him to the philosophy that the most effective way to confront and solve those problems was through collaboration. "There is a list of problems that none of us should have to solve on our own," he said. "I started to bump into them over and over again."

One of them is high-level security and threat understanding. "Most of you don't have the budget and staff to do high-level security or to understand threats in a comprehensive way," he said. "So you can do it by proxy leverage a large community. It doesn't even make sense to know about it all. What you really want to know is what to do about it. What action should I take?'

"Everybody's on networks, has partnerships and relationships with vendors. So, mapping from the knowledge of threats to action is a problem we should not be solving on our own," he said, when it can be vastly improved through, "an ecosystem of contributors, adopters, vendors, working, aides, consultants, teachers and more."

Another example is improved security through simplicity. Sager said nobody, not even the government, has the market weight to force a company of Microsoft's size to simply, "improve security."

The key, he said, is to ask for something specific. In one case, he sought a reduction in the vast number of desktop configurations. "If you have a preconfigured standard, it lets you manage security properties much more effectively," he said. "It's very hard to do with an uncontrolled environment. Millions of end points all configured differently is a nightmare. But if you can cut that down to five, or even 15, you can cut costs. "

It's good for the vendor as well, he added, "since they will know what a DoD desktop looks like. That saves them support costs. So it's an economic benefit for both parties."

Use a simplified, prioritized, shared standard for security

Sager said in 2001 he "shifted my thinking" on sharing government security recommendations with the public. "I got permission to release all the security guidance that we were developing for the DoD to the public," he said. You could go to and get the same security guidance as the DoD. It was all designed to be unclassified and sharable."

But, he said, it eventually became clear to him that despite his good intentions, this had contributed to the "fog of more." A private-sector associate told him that while he appreciated all the information, that he was, "drowning in this stuff. I need to know what should I do now. Not everything, but now."

That, Sager said, led him to convene a meeting with colleagues he trusted, where they whittled the list of "everything" down to 10 crucial security practices. That, in turn was eventually adopted by the SANS Institute as a community consensus project, "and took on a life well beyond anything we expected. And it started with nothing more grandiose than the question: What should people do first?'"

That became part of what is now SANS' well-known "Top 20" list, the first five of which are: Software whitelisting; secure standard configurations; application security patching; system security patching; and no administrative privileges while browsing the web or reading email.

"This is based on the 80/20 concept of security that most of your value is derived from a small set of things," Sager said. "It really matters, because that's how we're getting eaten alive. If you can't handle this, you can't handle more sophisticated threats."

And that led to his final thought on leadership: "The most common mistake of strong leaders I saw," he said, "was that they were great at telling you new things to do, but not so great at telling you what to stop doing.

"A lack of focus and priority is often a great weakness," he said, recalling the late Apple cofounder Steve Jobs saying he was just as proud of the 10,000 things Apple didn't do as the 10 things it did.

"If everything is important, then nothing gets done," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Tony SagerSANS Technology InstitutesecuritySecurity Leadership

More about AppleCyberSecurityGoogleMicrosoftNational Security AgencyNSASANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place