Twenty-five miles and seven hours into my first 50 mile trail running race, I told myself there are only twenty-five miles and seven hours to go. It should be simple – just keep going, right? This was my mindset a year into taking up running at my first Leadville Silver Rush 50 run. The idea was simple and easy to adopt, but the execution was much more complicated – and it ultimately led to a DNF, or Did Not Finish.

Retrospective

Looking back, it was frustrating not reaching the outcome I wanted, but at the same time failure was inevitable because of my incomplete plan, poor foundations, and impatience. I thought I knew how to run long distances, but ultramarathons are a different game:

  • Keeping fueled requires a proactive approach that goes beyond eating or drinking when you feel the need
  • Leg strength goes beyond just running. Muscle imbalances will cause problems at such distances if you neglect them
  • “Pacing yourself” means knowing a thing or two about heart rate, especially when climbing mountains at over 10,000 ft

Long Distance Running meets Security

From what I’ve seen, working in the security industry is pretty similar. The directive may be simple – “Improve security,” or even, “Don’t get breached” but the realization of this is a little more complicated. Like endurance running, implementing a mature and effective security program ultimately starts with a good plan, coupled with three main things – a strong foundation, patience, and persistence.

Your foundation consists of your baseline expectations and your “why.” For long distance running, I told myself that it’s going to be a long journey ahead. Successful long distance runners find their results, whether that be sheer distance completed, personal records, or on the podium, after years of hard work. The truth is that running is hard on the body, and building that kind of fitness takes time. One base expectation you can also have when building a security implementation is that the work will be hard, whether it be from limited budget or tight timelines. But, with time and resourcefulness, your organization can also develop a mature security program.

Your “Why”

Coupled with strong base expectations is your “why” – the motivation for why you want this and the motivation when unexpected drawbacks occur. My “why” was for a lifetime of health and the ability to explore the world where a car or plane couldn’t take me. For building an effective security program for your organization, the “why” needs to exist on a few levels:

WhoTheir “Why”
ExecutivesSecurity is ultimately a long-term investment that pays dividends in preventing breaches and building customer/stakeholder trust, even if it may seem expensive up front. The truth is, attackers are here to stay and it’s only a matter of time before someone with bad intentions starts to pay attention to your organization.
Product TeamsBuilding security into the product development cycle helps ensure products meet their standards and deadlines are kept.
Engineering TeamsIt will help ensure long term production efficiency, with less of a need to stop, backtrack, and fix bugs at any stage of the development lifecycle.

Patience

Still, progress takes time. Since my DNF at Leadville a year ago, I’ve only worked my way up to finishing a 50K trail race. At that pace, it may end up taking a few more years before I’m really ready to take on that 50 miler. That’s a little discouraging to hear, but the truth is building running fitness happens over months, years, and decades, rather than days and weeks. Getting here took a long way, and there’s an even longer way to go.

Security is the same. For your organization that has expectations and deadlines to meet, chances are a last minute pentest will eventually cause issues for product delivery timelines. It takes time and patience to effectively build security into your development pipelines without compromising resources and expectations, or overloading your engineers. (But, it doesn’t mean you have to sacrifice security in the short term. Here are some ideas to improve your application security today.)

Persistence

Unfortunately, failures and setbacks will happen along the way. For me, running injuries, illnesses, and even a global pandemic have made it hard, even discouraging at times to maintain consistency. It can be frustrating, but remembering my “why,” as well as looking back at my progress on the macro-level helps me continue on. Two years in to this running thing and I’ve run my first half marathon, eked out a 50K ultra with 15 minutes to spare, made it 25 miles into a race at 10,000 ft in elevation, and made a 5th place age group finish for another 50k. I’m not where I thought I would be, but I’m a lot farther along than when I started.

Your organization will likely come across its own unique share of failures and setbacks as you build out your security program. Maybe you miss a sprint or two, maybe one plan didn’t work out and you go back to the drawing board, or maybe you end up with a breach anyway. The important thing to remember in these cases is that security is not a perfect process. But, over time and with persistence, your security implementation will grow and your organization will learn from the setbacks along the way.

To the next aid station

Building a security implementation is hard work. Without a solid plan, coupled with a baseline understanding of its importance, patience to grow your process, and persistence as you find what works for your organization, you might fall short at the halfway point. Need some help getting started or refining your process? Reach out to us and we’ll help you towards that that finish line.