Cybersecurity has become a critical component of organization strategy across all industries. However, a common misconception is viewing cybersecurity solely in terms of return on investment (ROI). Amur Almanji, CISSP shares his experience of how a eliminate, simplify, standardize and automate (ESSA) approach can optimize cybersecurity practices.
In my experience, organizations often face numerous compliance requirements, leading to the deployment of a multitude of security tools. This "tool sprawl" results in increased costs and further investment in security solutions. Organizations must, in my experience, optimize – streamlining and consolidating tools to reduce complexity, improve efficiency, and better manage resources.
Expansion is a typical organization goal, with scalability being crucial for sustainable growth. A management goal relating to expansion might focus on building scalable infrastructure, to ensure the organization can grow efficiently without compromising performance. Scalability requires agility to enable adjustment to changing business needs. The key to achieving this agility is automation.
The task of automating security is addressed through multiple services such as security orchestration, automation and response (SOAR), DevSecOps and compliance as code. The underlying mechanism involves playbooks that can be implemented in various components such as firewalls and endpoint/extended detection and response (EDR/XDR) systems. However, the path to automation is challenging due to the complex nature of organizations: they vary in size, services, structure and processes, as well as having to contend with unstandardized processes and technology that can hinder the achievement of security goals. Standardization, which means creating uniformity in security practices, is essential but difficult to achieve in complex environments. Simplifying processes and technology architecture is a must to achieve uniformity. A preliminary step in simplification is to eliminate non-essential elements.
The ESSA Approach
The eliminate, simplify, standardize and automate (ESSA) approach is not a new concept; it has been a foundational strategy for business optimization for many years. The methodology provides an effective framework for streamlining operations, reducing inefficiencies and maximizing productivity. It has been widely adopted across various industries to eliminate extravagant processes, enhance workflow efficiency and drive continuous improvement. To recap its components:
- Eliminate: Remove non-essential elements such as outdated or unused software/hardware, redundant security processes, unnecessary user access rights and non-essential services/features on the system.
- Simplify: Reduce errors by maintaining consistent baseline configurations, simplifying architecture for easier monitoring and security, streamlining tools and interfaces for user-friendliness, and ensuring ease of use and enforcement.
- Standardize: Implement standard security policies, standardized protocols, an approved set of security tools and standardized incident response procedures.
- Automate: Use automated threat detection and response tools, automated patch management, automated monitoring and logging, and automated compliance checks to ensure adherence.
ESSA for Cybersecurity
The ESSA approach provides a strong foundation and smooth transition for aligning security goals with business objectives, such as expansion, competitiveness (achieved through faster time to market via DevSecOps) and protection. This approach should be a continuous, cyclical process embedded in the organization's culture, not a one-time effort.
A key starting point for adopting the ESSA approach in a cybersecurity program is incorporating the Pareto principle (also known as the 80/20 rule). For instance, in vulnerability management, 80% of vulnerabilities often reside in 20% of assets, typically due to legacy systems. Similarly, 80% of data breaches are linked to excessive user access rights, where only 20% of the granted access is necessary.
“Tool sprawl” – the accumulation of unnecessary security technologies – is a common issue that diverts focus and adds unnecessary complexity. Interestingly, 80% of compliance requirements can be met with 20% of security controls. Identifying and prioritizing the controls that best fit your architecture is crucial.
In conclusion, applying the 80/20 rule significantly boosts efficiency by focusing on the 20% of factors causing 80% of inefficiencies. This might involve eliminating redundant manual tasks or decommissioning legacy systems that no longer add value.
My Experience of ESSA
I have been involved in a project in which we initiated a centralization project for IT infrastructure across an organization’s sub-business units. While the operating model centralizes infrastructure and networks, the application teams remain decentralized within each business unit. The project faced numerous challenges due to the variation in infrastructure components.
One significant challenge, in vulnerability remediation, was the difficulty in identifying and assigning ownership – crucial for effective remediation. After completing the asset collection, we discovered various shadow assets. To address this, the first step was to determine the status of each asset; for such assets where ownership or purpose could not be identified, we decided to decommission them. This involved switching off assets for a period to observe any reactions before final elimination.
The large number of assets resulting from centralization exceeded the capacity of our teams. So, we applied the Pareto rule and focused on exploitable vulnerabilities in the first year. This approach targeted the 3% of vulnerabilities that posed the highest risk.
The second challenge was the distribution of vulnerabilities at different levels (application and system). This led to concerns that some upgrades might interrupt applications, making teams hesitant to perform necessary patching. The classification of vulnerabilities per level created misalignment and frequent transfer of vulnerability ownership, leading to delays in remediation. To simplify ownership, we assigned asset owners accountability for every vulnerability within their assets; it is their responsibility to delegate remediation tasks to their teams. Ownership assignment is based on the master service level agreement signed by business units’ executives.
Once the process of vulnerability ownership was simplified, it was standardized, for the Information Security team to track vulnerability remediation with the allocated team. The Information Security team then built an automated, updated dashboard for daily scanning of all assets, with metrics to monitor the performance of asset owners.
The essence of ESSA is that it is cyclic. After establishing the full cycle of vulnerability management, a new standardized process was inserted into the cycle for provisioning new assets: pre-approval must include integrating the new assets with the dashboard for initial scanning, integrating with the SIEM and joining the domain before releasing them to the owner.
One of the identified observations was the variation in operating systems (OS), which required different skills to fix vulnerabilities. To match the skills and speed up remediation, as well as improve group policies management, the OS is standardized to a minimum number. Remaining OSs are eliminated by transferring applications to the standardized set of operating systems.
The ESSA implementation extends beyond addressing vulnerabilities. It also encompasses identity and access management (IAM) by eliminating dormant users who have been inactive for more than six months (disabling) and deleting accounts after one year of inactivity. Additionally, efforts are ongoing to eliminate excessive privileges and to simplify and standardize the process of provisioning and deprovisioning accounts and privileges. Once standardized, this process will be automated for scalable infrastructure.
Advice for CISOs
My view is that CISOs should incorporate the ESSA approach – with the Pareto principle at its core – into their cybersecurity strategy. By focusing on the most critical 20% of factors that drive 80% of results, whether it's reducing vulnerabilities, minimizing excessive user access rights, or simplifying security control organizations can optimize their resources, enhance protection, and align security efforts with broader business objectives. This strategic focus will lead to a more efficient and resilient cybersecurity program.
Amur Almanji, CISSP has 10 years of experience in network security, cryptography and GRC. He has held management, and technical roles, with responsibility for managing strategic cybersecurity initiatives, R&D, risk management, regulatory compliance and architecture.
Related Insights