- Return on Security
- Posts
- The Foolproof Guide to Building a Miserable Security Program
The Foolproof Guide to Building a Miserable Security Program
Want to guarantee frustration, wasted budget, and career stagnation? Follow this advice for spectacular security program failure.
I've watched security leaders burn through millions while creating more problems than they solve. Throughout my career, I've consistently found that some of the most interesting insights and frameworks for thinking about security can be found outside the field.
Speaking of, here are some of the best books I've read in my career that might be helpful for you:
One book I have been reading recently is Poor Charlie's Almanack by Charlie Munger. In this book, there are many great stories and speeches, and one speech in particular stood out to me and how it might apply to the cybersecurity industry.
The speech was a commencement address, and Munger shared the story of the mathematician Carl Jacobi, who used to solve difficult problems by following a simple maxim: "Invert, always invert." Instead of asking "How do I succeed?" Jacobi would ask, "How do I fail?" Then he'd avoid those failure modes.
Charlie’s speech was based on this approach from Jacobi and inspired by Johnny Carson, a late-night TV host, from an earlier speech called “Prescriptions for Misery.” It was a hilarious account of the attitudes, approaches, and actions one would need to take in order to guarantee they had a miserable life, with the point being to obviously avoid all of these things.
So let's flip a common security program challenge that many new and experienced security leaders face, but let’s do it in the same way as Munger did. Instead of asking:
"How do I build an effective security program?"
Let's instead ask:
What's a foolproof way to build a spectacularly miserable security program?
The Guaranteed Misery Formula
Here are some guaranteed ways to create a terrible, horrible, no good, very bad security program.
1. Always Lead with Tools
Start every security conversation with vendor demos. Strategy and planning? That’s for losers who can't appreciate bleeding-edge technology. The shinier the dashboard, the better the security.
2. Never Audit Your Existing Stack
Why waste time understanding what you already own? Assume everything is broken, needs replacing, and that more is better. Overlapping capabilities just mean you're really, really secure. Buy that fourth EDR solution.
3. Staff Optional
Buy first, hire later (or never). Smart tools run themselves. If your team can't figure out the 47-step terraform, Kubernetes, YAML deployment process, they're clearly not senior enough.
4. Pursue Perfect Coverage
Focus obsessively on theoretical attack paths while ignoring where you actually get breached. Stress and theorize over vulnerability management programs, but not patching, responding, and reducing whole classes of bugs with developers. Enterprise architecture diagrams are more important than incident response.
5. Ignore Your Attack History
Did last year's ransomware come through email? This year, definitely invest in a security data fabric platform that does bi-directional network anomaly detection. They say lightning never strikes the same place twice, and history never repeats itself in security.
6. Play Technology Tetris
When metrics look bad, swap vendors. Different company logo == different results. Different is better. Different buys time. Technologies will be rearranged until morale improves.
7. Technology Solves People Problems
Reduce headcount with automation. One person can definitely manage 56 security tools if they're sufficiently motivated (and caffeinated). If using Agentic AI (and one should always be using Agentic AI), double the tools and halve the headcount. If you’re a security leader, find a way to turn yourself into an AI Agent connected to Slack so you don’t have to talk to anyone in real life, ever again (👀 there’s an untapped market here, and if you’re building in this space, let me know so I can invest).
8. User Experience is Someone Else's Problem
Make security as complicated as possible. The more painful and convoluted, the better. Those library of policies that your company has to “read and adhere" to? Make them super vague with circular references. Better yet, make them hard to find. If users bypass your controls, they lack commitment to cyber hygiene and are “built different” (read: incorrectly). Iron sharpens iron, and friction builds character.
9. Embrace the Echo Chamber
Get all your information from one source and rely on it blindly. Never talk to people in the trenches. Talking to actual practitioners in similar industries and companies just introduces bias and negativity. Way more important to do ClickOps and hit ‘Next, Next, Next, Next.’
10. ROI Calculations Are for Cowards
Never measure actual business impact or cost avoidance. Justify everything with FUD. If pressed for metrics, mention "the cost of a breach" and wave your hands dramatically. Scowl if you must.
Follow this advice religiously, and I’ll promise that you'll achieve:
Perpetual budget battles
Tool sprawl that requires tool sprawl management tools
A team that updates their resumes instead of security policies
The reputation as "that security leader who buys everything and secures nothing"
Now invert it. 🙃
Do the opposite of everything above, and you might just build something that works.
Reply