Information Security is the topic that every organization is trying to answer as part of their strategy, but is there “an answer”? Recently, Gartner reported approximately $114 billion was spent in 2018 on security; an increase of 12.4%. Furthermore,2019 is projected to have spending exceed $124 billion (8.7% growth). But with this spending, we are still seeing a record number of breaches and a continual trend in expanding regulations.
"Before you invest in a new tool or platform, take time to assess your security program"
What is the right amount of investment that an organization should make Information Security—is it a percentage of IT spend? And, in which areas should an organization be investing in its security program?
An organization’s security leader must answer these questions and create alignment to their business strategy and risk tolerance. Organizations that process personal information or financial transactions (ex. banks, credit bureaus, etc.) typically have larger spends due to their risk profiles as well as regulatory and privacy requirements.
Historically, executives have thought that security is all about spending and that more cost equals better protection, but the focus should really be about how you drive value for your organization. There are thousands of security vendors (and more coming every day) who tell you that buying their solution will “stop every threat” or “protect your information no matter where it is,” but if this were the case why does the number of breaches keep increasing?
I would suggest that this trend of purchasing new security tools without first focusing on the basics may be in part to blame. A new “flashy” security system is useless without proper forethought on integration with existing technologies and how to operationalize new alerts. The best investment for any organization is to not always buy the newest tool, but to get back to being good at the fundamentals and creating measurements for the security program. Your Board of Directors is increasingly aware that throwing money at the problem is not a sound investment strategy. They also know having a longer-term strategy and alignment to security maturity frameworks (ISO27001, NIST Cybersecurity Framework, etc.) allows the organization to look at the problem from a risk perspective to make informed investment decisions.
Before thinking about the next best thing, your security program should have solid foundational control and metrics. Some key elements of an effective security program are:
• Program Metrics – Without metrics it’s impossible to know how well a program and its elements are operating. Developing metrics that all levels can understand, from the board room to the help desk, are key to driving the need for investment and telling your security story. Choose approximately five areas to report that will drive change in your organization’s security posture.This helps drive advocates for the security program and shows return on investment in a real-world environment.
• Risk Management – Oftentimes organizations view information security as the “Department of No”—this is absolutely the wrong impression. Every security practitioner should be enabling the business by helping them make risk-based decisions. Establishing a framework for how risk is understood and measured is a key element of a security program. It’s OK to accept risks, under the right circumstances, to enable business elements.
• Patching – Numerous breaches have occurred because systems are left unpatched, thus leading to an exploitation. Patching has been around since the dawn of computing, but why is it so hard? Unfortunately, this operational task falls by the wayside because of numerous reasons (resource constraints, time to test, business can’t afford downtime, etc.). Look at the last ten major breaches, most are attributed to patching and maintenance gaps. Everyone should take a hard look at their patching processes and make investments to reduce system exposure. We meticulously service our vehicles and ensure that they are at peak operating condition so why are we treating our core systems any differently? Working with the business to make sure maintenance windows can be established is imperative to success in operationalization and building patching into standard operating procedures.
• Vulnerability Management – Similar to patching, vulnerability management has become another operational process that has struggled in many organizations. One issue has been at the fault of security practitioners.Sending a vulnerability report to the teams, that is hundreds of pages long, and saying “fix it” doesn’t drive progress. It’s unreasonable to think that anyone can take a 200+ page report and create action. Security practitioners should take vulnerability data and prioritize key elements for action and remediation. Targeted management enables teams to efficiently remediate prioritized risks. These elements should be refreshed regularly and reported to senior management to show progress.
• Identity & Access Management – As many technology strategies move to cloud-based systems the integration and management of identities become more important. Provisioning and deprovisioning accounts, as well as securing access (ex. multifactor authentication) becomes key elements on how you keep your systems and ultimately your data safe from unauthorized parties. Take time to analyze if your identity strategy is operating effectively across your key platforms and whether there is an opportunity for federation or implementation improvements exist.
• Awareness Training – Look at new approaches to security awareness training versus the 30-45 minutes of death by online PowerPoint. Take a risk-based approach to your awareness program and utilize quick hitting micro-training (3-5 minute courses/videos) to convey the message. Focus efforts on users that pose more risk (victims of account breaches, fail phishing tests, etc.) to your organizations and changing their behaviors. Serial offenders are the biggest risk to the business.
• Incident Response & Recovery – We all know stopping every incident is not a reasonable goal because mistakes will be made and things will happen. Having an incident response plan, including escalations to include senior leaders, is important as you don’t want to be figuring it out in the middle of a crisis. Isolation, investigation and recovery programs, especially for critical systems and functions, are imperative to business continuity and minimizing data exfiltration and impact.
While we all love to have the latest and greatest technology, we realize that it’s not feasible or financially sound. Before you invest in a new tool or platform, take time to assess your security program and make sure that there is a focus on some of the core elements of an effective security program. Having strength in the fundamentals will gain you a far better return than any shiny new tool.