Threat Intelligence
5/12/2017
11:00 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Maximize the Value of your Security Investments

How a 'security rationalization' process can help CISOs make the most out of their information security infrastructure, and also improve the company bottom line.

Over the past several years, cybersecurity has emerged as a massive market. With debilitating data breaches a common occurrence and cybercriminals more capable and organized than ever before, organizations of all sizes and industries have turned to security technologies to protect their valuable assets. According to Gartner, spending on cybersecurity products and services hit more than $80 billion in 2016, and recent research from Cybersecurity Ventures predicts that the global cybersecurity spend will exceed $1 trillion between 2017 and 2021.

It’s hard to deny the need for critical security tools. Unfortunately, all too often, organizations get swept up in the fast pace of the market and accumulate an abundance of tactical tools that end up only solving part of the problem (or overlapping with what they already have). Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases, or simply underinvest in crucial products or services.

No matter the reason – whether you’ve over-invested in security tools, under-invested, don’t know the extent of your security capabilities, or you’re facing new regulations that require you to demonstrate and continually maintain compliance – there is a path forward! The first step is to develop a security rationalization process to calculate the return on your security investments. Here’s how to get started:

1. Establish a goal.
While organizations’ end goals may vary slightly, every effective security rationalization should begin with the question, “How secure are we?” To begin the process, start by defining your desired goals and then work backwards to accomplish them. Examples of common goals include: understanding where sensitive data lives, establishing a baseline of infrastructure security configurations, and determining which applications are the highest risk. Equally important is establishing how secure your entire organization is, as well as how secure individual systems are - from application vulnerabilities all the way down to the source code level, (for example, GitHub Repositories).

Overall security is really defined by resiliency, and a way to establish the initial level is to take inventory of all of your current processes and schedules around code, application, and inventory scanning. Much like a fitness program, if you don't exercise on a regular basis, you will typically be less healthy. In security, if you don't test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low.

2. Take inventory.
By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply looking at software. You should also take an inventory of people and their skills, processes, and systems.

3. Classify tiers.
It’s crucial to classify all company systems and applications into multiple tiers based on needs and data sensitivity so that you implement the proper level and frequency of security testing. The classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection. 

4. Focus on outcomes
At this point, you’ll have pinpointed your organization’s cybersecurity gaps. When identifying these holes, however, it’s crucial to compare them to your initial objectives and business outcomes. For example, maybe you found you have a mission-critical order processing system that’s not getting scanned for vulnerabilities on a regular basis. Recognize that this cybersecurity weakness also makes it impossible to scan-certify your systems when rolling in patches and upgrades.

5. Fix it.
Almost all security rationalization processes find something amiss, lacking or broken. Rather than getting discouraged or alarmed when these results appear, keep moving forward. Get to work fixing the problem(s) in-house, hire professional services to solve the problem(s) for you, or invest in tools such as cybersecurity virtualization to fill in any holes as a service. 

The best security rationalization projects don’t just improve security. They enhance new, and more customer-centric ways of delivering services by seamlessly integrating security into the software development lifecycle. This is an important aspect to stress when you’re getting buy-in from your C-suite and board, which is critical for achieving the objectives of the rationalization project. Also, take time to establish scope, allocate resources and budget, and develop governing systems to maintain control and integrity during the process. Doing so will drastically improve the security of your environments, in addition to saving your organization valuable financial, technical and employee resources. 

Related Content:

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.