In his book The Collapse of Complex Societies, Joseph Tainter provides lessons from the collapse of ancient civilizations including the Roman Empire and the Maya civilization. Despite conventional wisdom, these societies did not collapse merely due to a sudden catastrophe such as an invasion by a major power, a major famine due to crop loss, or a plague that wiped out the population. Certainly catastrophic events occurred, but these societies were designed to handle such events.
Tainter’s thesis is that as societies develop they add more and more complexity. Additional complexity starts as being beneficial for a society, but over time the marginal costs outweigh the marginal benefits. As complexity increases, bureaucratic processes and regulations exacerbate the problem, further contributing to the complexity and increasing the marginal costs. At a certain point the society becomes vulnerable to collapse.
So, why didn’t those societies merely simplify in a controlled manner? The problem was the complexity of the society made it almost impossible. Further, the societies were based on interrelated and interdependent functions that were very difficult to deconstruct. Thus, continuing the trend toward increasing complexity was seen as the most rational decision. Increased specialization historically led to better results. Also, the bureaucrats and elites had a vested interest in the status quo. For a while, benefits rose faster than costs. However, in Tainter’s words, “continued investment in complexity yields a declining marginal return.” As the society becomes less productive, costs only maintain the status quo. It is only a matter of time until an adverse event forces the society to collapse.
The Runaway Train is a society whose continuing function depends on constant growth. This type of society, based almost exclusively on acquisition (e.g., pillage or exploitation), cannot be sustained indefinitely.
So what does this have to do with Information Security programs?
As information security complexity increases, many security organizations have already approached a world of diminishing marginal returns on security investments. At one point in time, security budgets were rising, and the benefits (at least in perception) were increasing faster. However, as Tainter argues, “the marginal product of social complexity always declines.” Information Security complexity is increasing. The main culprits are an ever-expanding regulatory environment and increased number of point-solution security tools. By one estimate, the average security program uses no fewer than 75 security products to secure their network. Quite a runaway train.
Like societies in general, as security programs develop they add more and more complexity. Over time, the marginal costs outweigh the marginal benefits.
Security costs are insidious – they generally go up in a stepwise fashion every year. Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), Data Loss Prevention (DLP) and all the other tools are purchased and implemented. But they never go away. They just get piled on. The interrelationships and management complexity eventually catch up to an organization. The increasing complexity requires increased staffing. Security functions break down (sometimes catastrophically) if they are not continually maintained and funded. Now, with an economic downturn, all business units, including Information Security, are being asked to do more with less. When budgets are frozen or decreased, security programs can collapse under the weight of their complexity.
Given this grim trend, how do you keep your security program from collapsing? Security organizations need to radically simplify in order to prevent collapse. As with collapsing societies, incrementally continuing to add security controls to internal systems seemed to be the most rational decision. It was not. It is time to start ripping out systems. But which ones?
Tool rationalization is getting a lot of attention today. It does not make any sense to have dozens of tools with overlapping functionality. A quantitatively based tool rationalization methodology gives security leaders the information they need to reduce their “calcified” security spending. One example: inject simulated attacks in the network to see which attacks are being detected and/or blocked by each security tool. If attacks are being detected and/or blocked by multiple tools, this creates an opportunity to remove tools with redundant capabilities. Decisions can be made in a very transparent and controlled manner.
Don’t let your program become the new Roman Empire. Take measures now to rationalize security spending in a controlled manner using quantifiable decision making.