Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Pragmatic Security: 20 Signs You Are 'Boiling the Ocean'

Ocean-boiling is responsible for most of the draconian, nonproductive security policies I've witnessed over the course of my career. Here's why they don't work.

I've always been a fan of the rather descriptive expression "boil the ocean." According to Investopedia, boiling the ocean is to undertake an impossible task or project, or to make a task or project unnecessarily difficult. More concisely, boiling the ocean generally means "to go overboard."

In security, we can learn a valuable lesson from this expression. Security is all about balance and pragmatism. Enumerating risks and threats to the organization while simultaneously prioritizing them. Seeking to mitigate risk while in parallel understanding the need to accept a certain amount of it. Building a security program even though some of the people, process, and technology involved may be missing or imperfect. Running security operations with an understanding that the conditions are never ideal. Balancing between business or operational needs and security principles. And so on…

In my experience, boiling the ocean does not allow an organization to improve its security posture. In fact, quite the opposite is true. So how can organizations turn away from ocean-boiling and toward a more pragmatic approach to security?  I present "20 signs you are trying to boil the ocean."

1. Perfect is the enemy of good. I'm a big fan of the Pareto principle. Sometimes it is possible to roll out a solution that addresses most of what we need fairly quickly, even if it doesn't address everything. If we wait for that perfect solution, we might be waiting a long time.
2. Finding the problem in every solution. I've worked with some pretty impressive people over the course of my career who seem able to find a solution to nearly every problem they face. I've also worked with people who seem to find the problem in every solution they discover. The former helps organizations mature. The latter makes them spin their wheels endlessly.
3. Working in series rather than in parallel. Ever feel like you can't move forward on tasks B, C, and D until task A is completed? That may be the case in some instances. But in many cases, there isn't as much interdependence between tasks as you think. It is very often quite possible to work in parallel to move things forward.
4. Inability to find the path forward. If trying to move any effort forward seems like an endless series of dead ends, it could be a sign that a less complicated path may bring better results.
5. Paralysis. Organizational paralysis can be, well, paralyzing. If employees don't try and effect change because they feel that it is doomed to failure, it could be another sign of rampant ocean boiling.
6. Playing hot potato. When the answer is unknown, it's easy to just say no and pass the hot potato on to the next person. Putting aside ocean boiling allows organizations to identify what can be done, instead of what cannot be done.
7. Always looking for more data points. It's easy to put off a decision because you are waiting for more data points. At some point, you need to realize that you have just about all of the relevant data points you will ever have and make a decision.
8. Always waiting for something else to happen. In a similar manner, it's easy to put off a decision because you are waiting for something else to be completed.  Sometimes there is a genuine need for this time of dependence, but often, it's another symptom of ocean boiling.
9. Looking for every out. Ever come across people who seem like they are just looking for every possible out or opportunity to dismiss an idea? No idea is perfect, but many ideas can develop into real-life solutions.
10. Waiting for more money. There will never be enough budget to do everything that needs doing. Prioritize and get moving.
11. Waiting for more time. See number 10.
12. Looking for the perfect hire. Everyone wants to hire a 20-year-old analyst with 10 years of experience. I'd also like to have a pet unicorn, but we can't always have what we want. Consider hiring bright, energetic, motivated, and analytical people and training them.
13. Drowning in false positives. Well, if I turn off my noisiest alerts, then I might miss something, so I'll just do nothing instead. Sound familiar? News flash: if you are drowning in false positives, you are missing something already. Figure out how to be alerted to more of the stuff you care about and less of the stuff you don't.
14. Stagnant on content development. Attacker techniques continually evolve. You will never arrive at the perfect signature, logic, or algorithm. Know when you have something good enough that gives you a good shot at identifying attacker activity without drowning you in false positives.
15. Processes and procedures are forever a work in progress. There will always be more that can be documented or documented better. But at some point, your team needs guidance and a path forward for a variety of different situations.
16. Inability to start a dialogue with executives. You will never be prepared enough for all the potential questions and points that executives might raise. But you need to be able to get enough of a story together to be able to discuss risk prioritization with executives and move your team's agenda forward.
17. Inability to make progress with the business. Security shouldn't be the team of no, nor should it inhibit the business. On the other hand, risk to the business needs to managed properly and minimized wherever possible. These may sound like contradictory points, but a pragmatic, collaborative approach to the business can make all parties converge to a workable solution.
18. Operations permanently stuck in ramp-up. I've seen lots of situations where security teams seem to ramp up for years on end. At some point, security operations must start, even if imperfect. A security program can always be improved iteratively once it is running day-to-day. That's much better than never getting anything off of the ground.
19. Inability to prioritize risk. Every risk seems like a top priority. But if we have limited resources, we have to make calculated choices. Otherwise, we spin our wheels forever.
20. Draconian policies. Ocean boiling is responsible for most of the draconian security policies I've seen over the course of my career. It helps to understand which policies and practices actually contribute to improving security, and which ones just make ocean boilers feel better.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
[email protected],
User Rank: Apprentice
3/14/2018 | 3:21:44 PM
Re: Content stagnation
Thank you Daniel - glad the piece resonated with you.
User Rank: Black Belt
3/14/2018 | 2:58:53 PM
Resolving the impasse might be less fun
I would be glad to help you collect solutions to the impasse, but documenting the problem might be more fun.
User Rank: Black Belt
3/14/2018 | 2:57:11 PM
Solving the impasse
I would be very glad to help you collect solutions to the impasse.  True, feeling hopeless and complaining is more fun that solving it.


User Rank: Apprentice
3/12/2018 | 7:27:46 AM
Is This Beginning of War in Cyber Space ?

Indian Cyber Army In Talk With News Line on Cyber Space War One click of a hacker can easily undo years of handwork of any organisation, without the need to cross the border. Stealing confidential information, intellectual property and financial data is extremely harmful and paralyses the country's economy. The point to ponder upon is: What if the Indian government supports these patriotic cyber security personnel to provide Information security awareness to contribute to protect the national cyber infrastructure without any monetary benefit?

[email protected],
User Rank: Apprentice
3/11/2018 | 6:47:07 AM
Re: Great Article
Thank you Menny.
[email protected],
User Rank: Apprentice
3/11/2018 | 6:46:22 AM
Re: Great article
Best of luck with the situation.
[email protected],
User Rank: Apprentice
3/11/2018 | 6:44:36 AM
Re: Clear and consise
Thank you - very much appreciate your comment.
User Rank: Author
3/9/2018 | 5:14:31 PM
Content stagnation
Great article, many of these 'signs' resonated with me.  In paticular: Stagnant on content development

In my prior SOC roles I like to think of creating 'Security Context' type content.  This would be content that didn't report to be an alert, but instead help support an investigation.  (Low severity events)

Great stuff!  Thanks Josh!
User Rank: Author
3/8/2018 | 10:44:42 PM
Clear and consise
What a great summary.  The facts are clear and consise and hopefully many will take note and action!
User Rank: Strategist
3/8/2018 | 1:47:19 PM
Great article
Thatnks for describing perfectly the situation I am stepping in to.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be e...
PUBLISHED: 2020-05-28
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accord...
PUBLISHED: 2020-05-28
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allow...
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be e...
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...