Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Jason Sandys
Jason Sandys
Connect Directly
E-Mail vvv

Calculating the Value of Security

What will it take to align staff and budget to protect the organization?

As much as we'd like to think things have changed in the wake of WannaCry, NotPetya, and other high-profile breaches, many companies still don't take IT security seriously. It's easy to see why: Target, Sony Pictures, Equifax, and Maersk are still very much in business and doing just fine.

Have those organizations changed their protocols as a result? Undoubtedly. It takes a direct hit on an organization, with a significant financial impact, to force change. Until then, it's business as usual.

Of course, this is a tremendous source of stress for CISOs and their security teams. They're reminded daily how vulnerable the organization is: patching that is woefully out of date, remote workers with unprotected systems out in the wild, insufficient budget and resources and a lack of cooperation — or worse, direct conflict — between IT operations and IT security.

A new report on IT security from 1E, "Getting Your House in Order," finds three challenges facing IT: securing new technologies, restrictive budgets, and a lack of understanding between IT security and IT operations on how the other works. Worse yet, 90% of organizations prioritize something else (customer service, sales, etc.) ahead of IT security when it comes to budget allocation. 

Short of a breach, what will it take for companies to get it together and properly protect the organization? They must do the following:

1. Acknowledge how accessible their data is. There's a general lack of knowledge about how discoverable data sets are, even in supposedly secure cloud platforms. Too many operate under the assumption that they can dump data into an S3 bucket in the cloud and it will be safe because it's on a secure platform. Cloud storage is only as secure as your protocols and endpoints used for accessing it. A single compromised user credential can provide unfettered access to your most valuable data.

2. Recognize outsourcing isn't the answer. Most companies believe by dumping their data into the cloud, they're also dumping the security responsibility onto the cloud host. They assume that buying space on Amazon Web Services or Azure is like buying an insurance policy. This is not the case; plenty of S3 buckets are left completely unsecured. Even if they were secured by the host, the data is only as secure as the points of access to it, which is why safeguarding endpoints is absolutely critical.

3. Match the value of their data with equivalent resources. Unless you're putting enough resources and investment toward protecting data, it's not going to be secure. To improve cybersecurity, over 75% of IT pros say their organization needs to invest more in software migration automation and training for IT security and IT operations teams. And more than 60% say their company needs to invest more in software patching. Clearly, there is misalignment on the value of security and the resources allocated toward it.

4. Assess the level of risk within their IT estate. Only about 60% of organizations report having a high level of control and visibility over endpoints on the network and software in use. With remote workers, local admin rights and departmental or location-based autonomy, it's nearly impossible for IT to keep up with tracking the organization's assets without some type of automated solution to do so. However, you can't safeguard what you can't see; organizations must gain clearer visibility of the IT estate in order to deliver proper protection.

5Migrate to Windows 10. There isn't a business case for upgrading to Windows 10 beyond security. Yet, whether you pay the extended support agreement for Windows 7 or you bite the bullet and migrate to 10, you'll still be forking over the cash for endpoint security. CIOs must recognize improving security is a valid business case, and protecting the organization protects the bottom line — and potentially the financial security of the board of directors and shareholders. In fact, 58% of survey respondents believe that failure to migrate to Windows 10 by 2020 will result in "significant security risk." CISOs can use this risk potential to garner investment in making the upgrade.

6. Solve patching and bandwidth issues. The pace of updates and the challenge of limited bandwidth creates a bottleneck for many companies. If I run a financial firm and my day traders are down for an hour for a system patch, they could lose $1 million apiece. Considering that more than half of IT pros believe unpatched software is one of the main causes of security breaches, patching must become a priority. Investing in the right tools to automate the process can help overcome patching challenges and the bandwidth deficits that are partly to blame.

Bringing IT operation and IT security together establishes cohesion on the end goal. At Microsoft, not only do all of the developers have some level of security training, they also have security people sitting alongside them. They collaborate to ensure that work in progress meets the company's established security guidelines from the beginning to reduce the risk of a security flaw and prevent adversarial situations.

By educating both teams on the roles, goals, and objectives of the other, companies can leverage the full capability of their IT resources to secure the organization with an investment that reflects the value they place on security.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jason Sandys, Enterprise Mobility MVP, has 20+ years of experience in a wide range of technologies, environments, and industries and extensive knowledge in implementing and supporting all things SMS and Configuration Manager beginning with SMS 2.0. He is currently a ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
7/19/2019 | 7:12:15 PM
Interesting comments
I love the title, I don't think you can put a value on security and one's reputation. However, there are a few things that stood out in the message.
  • 1. Acknowledge how accessible their data is. - the first thing you said is the lack of knowledge, someone from Accenture, Attunity and other organizations have allowed certain individuals who have not been properly trained to configure S3 buckets. For one, there is a setting that says "Block public access". So they had to uncheck the boxes in order to give the public access. From a training standpoint, this should have been the first thing that should have come up. It would not have mattered if it was onsite or offsite, this was an oversight by the entire organization (no one from the security team, audit, IT, Engineering addressed this issue).
  • S3 configuration
  • 2. Recognize outsourcing isn't the answer. - the same explanation applies, the cloud is only as good as the person driving it. They can't think of everything, that is where training and consulting will prove to be beneficial and provide guidance in helping the organization in making the right decisions, there is a solution AWS provides where it runs security checks against your environment, this would have been useful in their design, this could have mitigated this issue.
  • 3. Match the value of their data with equivalent resources. - I agree with this sentiment, this was discussed in the earlier sections, but we are on the same page
  • 4. Assess the level of risk within their IT estate. - Yes, this can be done with tools from IT NMS tools (i.e. Solarwinds, HPE Openview, OpenManage, but there is another way as well, I can go into the router and extract the MAC addresses, then I can download the MAC addresses lookup values (1st six digits) and determine what type of device sits on the network (this would have helped NASA identify the Raspberry PI on their network
  • 5Migrate to Windows 10 - Ok, if the organization is a windows shop, then yes. But I would look into other solutions like Cinnamon, Lubuntu, Suse, Ubuntu, Core-OS or others. The systems can be managed using tools from HPE ALG. They provide more security tools that are inherent like:
    • IPTables/UFW - elaborate firewall rules "iptables -I INPUT 1 -p tcp -m multiport --dport 22,80,443 -m conntrack --ctstate NEW -j ACCEPT
    • SELinux - policies to address accessibility - semange fcontext -a -t "default_t" "/home/<user>(/.*)?" or "chcon -Rv --type='default_t' /home/<user>" | "restorecon -Rv /home/<user>"
    • RKHunter/Chkrootkit - Rootkit analysis - rkhunter -c
    • Fail2Ban - IPS/IDS
    • Webmin - Online Management tool, gives admins the ability to monitor and check individuals machines from a web interface, Fedora does the same thing port 9000, also with packages from OAuth and Moo, the system provides MFA/2FA using Amazon, F5 or Google
    • SIEM - easy to integrate existing systems and monitor log information "tail -f /var/log/audit/audit.log" | setenforce 1
    • Tie Linux system to AD (slapd) and run "crontab -e | 0 1 * * * yum update > /home/<user>/desktop/update.txt"
  • 6. Solve patching and bandwidth issues. - Patching is one thing, but addresses an inherent security risk that has not been patched is another (i.e. telnet running, open RDP, GPOs not pushed to the desktop properly and backup and imaging process has not been established. There are tools that can restore entire systems (desktops/laptops) within minutes using tools found on the web instead of hours.

You have made some valid points, I do think we have to continue to do the work and stay vigilant.

User Rank: Apprentice
8/1/2019 | 4:37:02 PM
Shockingly high percentage of companies!
90% is an alarmingly high percentage of companies not prioritizing IT security. Many make the push to the cloud with AWS but ignore the importance of data security. TLS 1.3 is a great move for data encryption in the cloud but comes with the downside of visibility loss. Nubeva has a new method for out of band decrypted visibility for TLS 1.3. It's called Symmetric Key Intercept. Check it out on our website!
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a ...
PUBLISHED: 2021-03-05
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could a...
PUBLISHED: 2021-03-05
TOTVS Fluig Luke platform allows directory traversal via a base64 encoded file=../ to a volume/stream/ URI. This affects: Fluig Lake 1.7.0-210217 Fluig Lake 1.7.0-210112 Fluig Lake 1.7.0-201215 Fluig Lake 1.7.0-201124 Fluig Lake 1.7.0-200915
PUBLISHED: 2021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a ...
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.