Systems not Goals

Everyone’s goal is to not get hacked. That goal is meaningless.

Conventional wisdom is that setting specific, actionable goals is the key to success—ensuring our networks are impenetrable, our data is safe, and our businesses are secure. For years, many of us have approached our infosec practices with this goal-oriented mindset, but the reality is that this approach often falls short.

What truly matters isn’t the goal itself, but the system we implement to achieve it. As legendary football coach Bill Walsh says, “The score takes care of itself.” In other words, it’s not the end result that we should be obsessing over, but rather the process we follow to achieve it.

Understanding the difference between goals and systems

James Clear talks about this in his book, Atomic Habits. How the pitfall of focusing on goals causes a few common problems to arise. I’d like to approach this same concept through an information security lens and explore what lessons we can learn from it.

I’m proposing that there are limitations of goal setting in information security and why shifting our focus to building sustainable, robust systems is the key to long-term success. Adopting a “Foundations First” approach will not only help us build stronger security measures but also transform the way we think about and approach our infosec program challenges.

Am I saying goal setting is useless? No. Some north stars serve a purpose for setting a target to provide clear direction for your org and give your team a sense of purpose. That being said, they often do little to move the bar forward, many times even distracting us from some critical steps necessary for true progress.

On the other hand, systems are the means through which we reach our goals—the processes, structures, and habits that actually give us the outcomes we’re looking for. In the realm of infosec, this can include all the basic blocking and tackling of day to day security ops and engineering. I’d put Threat Modeling at the top of the list to better understand what your foundations should look like. Unlike goals, which focus solely on the end result, systems emphasize the journey and provide a roadmap for continuous improvement which is necessary in an industry that is continuously changing.

The goalposts are constantly moving and traditional goal-setting becomes increasingly futile.

Building a Sustainable Infosec System

I was going to start this section with the ol’ “People, Process, and Technology” but I think there is an item 0 on my list here and that’s Threat Modeling

1. Threat Modeling: A mentor of mine has a saying: “If you’re coming to the table without a Threat Model, you’re just finger painting in the air” - That being said, without understanding your threat landscape, you really are just doing things that sound good and not things that you definitely need to be doing. To build a solid foundation for your infosec system, start by identifying potential risks and asking yourself the question, What could go wrong? To understand the people, processes, and technology systems you need - you’ll need to know what you need to protect against these threats.
2. People: Skilled non-toxic professionals are the backbone of any successful infosec system. One bad hire will tank any progress you’re making faster than anything else you can get wrong. Invest in ongoing training and development to ensure your team stays current with the latest threats and best practices. Encourage collaboration and knowledge sharing, both within your organization and with external partners, to strengthen your collective resilience.
3. Processes: Create clearly defined, repeatable, and scalable processes for risk assessment, incident response, and security maintenance. This will help your organization maintain consistency and efficiency in its infosec efforts, reducing the likelihood of mistakes and oversights. This will also create a baseline of the non-sexy mop and bucket work that will need to be done consistently in order even to start to consider the shiny things.
4. Technology: Equip your team with up-to-date, reliable, and integrated tools and infrastructure. These technologies should support your people and processes, enabling them to work more effectively and focus on what matters most—protecting your organization. - If you’re a software shop, make sure your tech is developer-focused, and you aren’t just spitting reports out and throwing them over the fence. Build where it makes sense but where it doesn’t.

You need to align your systems with your organizational culture, objectives, and risk tolerance. I used to work at some large financial institutions and had a saying that we were going to go “full bank” on a particular problem, which usually meant a level of paranoia that I never experienced elsewhere. On the flip side, if you tried to go “full bank” at a software startup, you’d firmly plant that company into the ground.

1. Embrace an iterative approach to infosec, learning from successes and failures alike. Avoid the sunk cost fallacy; if a particular component of your system isn’t working, be prepared to pivot and try something new. By adopting a “fail fast” mindset, you’ll enable your organization to adapt more quickly to new threats and challenges. (read a lot about this in a previous newsletter of mine if you missed it: link and some longer form thoughts on this in another blog post: link)
2. Encourage a culture of continuous improvement, where your team is always looking for ways to refine and optimize your systems. This may involve staying current with industry trends, soliciting feedback from stakeholders, or conducting regular reviews of your processes and technology. By fostering a blameless environment of growth and adaptation, you’ll set the stage for long-term success.