Organic is Great for Food, but not for IT Security

Posted: May 20, 2019

Almost none of us have ever truly built an IT Security architecture from scratch.  We usually just inherit what the company has in place when we walk in the door. When we try to find out about the reasoning behind why things were designed and built, we often hear the same old refrain: “Oh, it’s grown organically over time”.

Organic Security usually means something like this:

“We had to put out fires, which led to putting in point solutions.  Then we had to figure out how to manage those point solutions.  Then we started seeing what the solutions were telling us about our environment, which forced us to reconsider the rules, controls, and solutions we had put into place, which then changed the process when the tools changed…”

You get the idea… this is a cycle. Often these new areas of visibility expose new fires, and the same cycle gets started over. Sometimes it works out, sometimes it doesn’t.  But whether it does or doesn’t work, you end up in a process like the picture below, and it will become untenable over time:


Let’s take an example outside the realm of IT and cybersecurity. The handy person who is really good at do-it-yourself (DIY) will often analyze a completed project to see if there were ways they could have done it more elegantly and faster. On the other hand, a professional carpenter will plan the project out beforehand and do it right the first time.

That same concept applies in IT and cybersecurity. In shops with good leadership and a lot of experience, that order of events will eventually begin to reverse.  Instead of controls forcing process changes, which then exposes new visibility into the environment, that cycle gets flipped.  The more mature IT shops will instead leverage visibility of the environment to better inform decisions on security process.

Now that the order of events is flipped, the process starts to look like this:


But visibility itself can be a hard sell because it means you have to convince management to invest into the organization’s security BEFORE they know there is a problem. You’re delivering the knowledge needed to improve your organization, but you’re likely also going to deliver some scary news to management once you have that visibility. As is so often the case, your organization might have never been aware of threats or exposure to risk they have.

Once you get your desired insight, they will know about them for certain. And that means they have to take action (we’ve talked about pulling those loose threads before).

But there is a payoff in the long run! The organization will be able to plan better and make more informed security decisions. This will lead to benefits like better designed processes around security controls and informed choices when deciding on tools and methods as security controls. In short, it means a better security posture. Management just has to have the will to fight through the pain in the short term.

Taking the first step – which doesn’t have to be difficult or time-consuming – is typically an assessment of what you have in your environment. Using an existing reference architecture (we created one here at Set Solutions for this purpose), you can take some time to build an inventory of what you have in place, as well as develop a map of your gaps. It’s an exercise in “network archeology,”, and it will help tremendously in ensuring that you have an accurate picture of your security posture and landscape. Then you can start making plans for improvement! As G.I. Joe says, “Knowing is half the battle.”

By the way, this is something we often do for our customers as a normal pre-sales engagement. Please reach out to see if we can help you with getting that visibility!


This blog was written by Sonny Green, Solution Architect Manager – North Texas, at Set Solutions