Security teams are divided by the discovery and mitigation of risk.
How do you split resources between the two?
Let’s explore the explore / exploit dilemma in this essay.
Divide all of your teams priorities and resources into two buckets, breaking and building. How much have you spent on one versus the other?
Next, consider a new strategy. Abandon your current strategy and choose an extreme path towards one of these principles:
🪓 Breakers: A strategy that only hunts for and reports on risks. Detection, red teaming, penetration testing, threat intelligence, incident response, bug bounty, risk quantification are prioritized.
Or…
🛠️ Builders: A strategy that focuses on strictly on fundamentals. Does not try to predict risks. Assumes that fundamental controls and maturity models will eliminate the most risk, even unknown risks.
You should cringe at the thought! At least some aspects of both principles are necessary. You probably aspire to be in the middle… somewhere.
It follows my experience that teams in reality will bias toward one side or another, but never fall completely into one extreme. They all trade off between the two. Interestingly, everyone falls into a different place on the spectrum. Is their current ratio an intentional decision?
How do you find the healthiest equilibrium between building and breaking?
This decision is an explore / exploit dilemma.
This dilemma is not solvable. The optimal tradeoff can only be approximated.
Though, my experience suggests that we should lean towards building unless our constraints force us to do otherwise. Here are some notes:
Breakers overwhelm the throughput of builders: Vulnerabilities take less effort to discover than their corresponding fixes. There will always be risk to mitigate if risks are being taken. Erring towards building helps avoid backlogs of unfixed risks.
Breaking starts out cheap: Early teams get far with scanning tools, maturity models, checklists, and very brief gap assessments. Breaking has it’s highest ROI early on and produces the most work for builders. Over time, this becomes less true.
Breaking may find equilibrium at the 37% Rule: The explore/exploit tradeoff appears in many spaces, and the answer is often to spend 37% of your time exploring and the rest exploiting. Feynman’s restaurant problem decides whether to explore new restaurants or stick to eating at your current favorite. 1/e appears in several explore/exploit optimization scenarios. The Gordon–Loeb model also landed on 37% of expected breach losses being an optimum amount to invest in security.
The difficulty with the 37% rule is that while it surfaces as a probable answer in simple models, it begs the question: “37% of what?”. It may be 37% of what we’ve been allocated in a budget, or 37% of our expected losses in a breach. I don’t recommend codifying resources around the 37% rule. Merely take it as a suggestion.
A variety of factors go into how we build security organizations that influence our decisions. When possible, we should err towards building rather than breaking. Take comfort in knowing that there is no right answer, so long as you understand the dynamics between them. Be intentional when taking a different path.
@magoo writes about security on scrty.io