• No products in the cart.

  • Home
  • Hacking and Grinding: The Balance Between Passion and Self Control

Hacking and Grinding: The Balance Between Passion and Self Control

image_21

I was just reading
a good post over at securosis
by my friend Rich Mogull, and I have a few comments. He, and many others,
bring up the fact that the cloud reduces (or eliminates) our ability to
implement certain types of security controls, e.g. WAF, DB content
monitoring and defense, and advanced S-SDLC.

This is, of course, true, but I think it largely misses the mark. So, yes,
for the best of the best, they lose a lot by going to the cloud. For the few
who are doing WAF and DB monitoring and protection, etc. really well, and
have such advanced S-SDLC that they would suffer from not having full
control over the platform, they will lose ground by losing control. Agreed.

But there are so few in this category.

These outliers don’t represent, as best as I can tell anyway, how most
medium to large companies are doing things. Most are way behind this,
and are still struggling just to get basic, critical vulnerabilities out of
their code, and to have solid separation between dev and production.

In other words, for the vast majority of companies out there that can
benefit from the cloud, they aren’t losing anything by moving there. They’re
simply not doing these advanced things now, so there’s nothing to lose by
“downgrading” to the cloud. It’s pretty much all positive for the majority
of companies.

What the cloud promises is to take people who are at 25% to 75%, not to take
people who are at 90% to 95%. I think I would agree with Rich and Hoff that
an organization that’s at a 90% maturity level with their posture (and have
all those advanced controls talked about) wouldn’t get much from the cloud.

But again, there are so few of these.

If I had to give a number (which is clearly silly) I’d say that most medium
to large companies are in the 30-60% range in terms of their security
maturity (think “failing at the basics”). And I’d say that going to a solid
cloud service will jump them to 75-80%, which is still bad, but is much
better (and yes, I realized the level of oversimplification is staggering).
My point is that taking thousands of companies from 40% to 75% is a victory,
and the fact that a few big players might drop 5-10% is not as important as
it may seem.

In short, the cloud helps more than it hurts simply because most people are
in such bad shape that the cloud’s weaknesses fail to materialize. It’s like
saying that moving a homeless person to a middle class home is a letdown
because the new place doesn’t have an indoor pool. Most companies are
failing at the very basics, guys, and that’s why the cloud is a win for most
people. I think we should avoid letting the best be the enemy of the better.
::

May 23, 2025

0 responses on "Hacking and Grinding: The Balance Between Passion and Self Control"

Leave a Message

Your email address will not be published. Required fields are marked *


We make great apps
top
An Ultimate Multimedia Consult © Ultimate Multimedia Consult. All rights reserved.