While accountants track quarters and years, cyber security time is measured in seconds, minutes, and months. For instance, Intel Security’s “Malware Zoo” grows at the rate of four new pieces of malware or malicious software every four seconds. Currently, this Zoo has more than 375 million pieces of malware, 103 million obtained and classified in the last nine months alone. The average useful life of a poorly configured or unprotected PC on the open Internet is four minutes.
As a security practitioner, you would not let a device sit idly by unprotected. Now consider this: For anything you want to invest in, your CFO wants to amortize the investment over three to five years, as he or she does for other computer equipment. How can you maintain a strong security strategy and position against an exponentially growing threat, while balancing the rules of GAAP that seem to dictate current security strategy?
In almost every organization, there are tensions between different functions or departments, as they try to maximize their own objectives. Accounting or finance is trying to maximize the value of the firm, preserving cash, recording assets with as much value as possible, and minimizing capital and operating expenditures. Security is trying to maximize protection for those assets with the smallest impact on everyday operations. (Of course, it is difficult to demonstrate a level of protection, since it involves proving a negative.) The fact is, your security strategy should not mirror your accounting policy. How do you reconcile these two very different perspectives?
Let’s start with the definition of an asset as something that has a probable future economic benefit to your organization. If some aspects of your security system are outdated and can be readily circumvented by the latest attacks, then they have ceased to provide an economic benefit. But how do you use this when you are building a business case for greater investment in security?
With the flurry of recent security breaches, an easy approach is the “fear, uncertainty, and doubt” routine. This may make it easy to get approval for a temporary budget increase or a pile of reactionary purchases, but it does not do much for your long-term security posture. Reactionary purchases result in a series of security silos that cannot talk to each other and that increase operating and capital costs. You may consider this a layered defense strategy, which is better than point systems, but it has higher operating costs and the potential for a false sense of security.
A better long-term approach is to focus on security as a platform, instead of a selection of individual products and point defenses. Your organization has likely invested in platforms in other areas such as office automation, network infrastructure, and enterprise resource planning, because standardization and consolidation improve efficiency and reduce cost. In today’s threat landscape of complex and adaptive attacks, a critical component of an effective security platform is sharing of data among all of the sensors, defenses, and controllers. This communication enables all devices to get the knowledge and assistance they need, and the security operations center to have a true picture of the active threat level.
The next component of an effective security platform is integration and automation between security processes in real time, which helps drive down operational costs. While technologies can share data over standard formats, the ideal model shares data using a real-time communications backplane so that the data can provide assistance in problem solving immediately, rather than be used solely to reconstruct the past. With the demand for security personnel outstripping the supply of experienced professionals, integration reduces the time-consuming “swivel-chair management” technique of monitoring multiple consoles, and automation filters out the normal, expected noise and other clutter to provide more visibility to the anomalous and abnormal alerts and events.
Finally, you want a platform that supports multiple vendors and technologies, without requiring a wholesale replacement of your existing infrastructure. No single vendor can deliver all of the current and new technologies, and competition and open architectures help to keep prices down, business responsiveness up, and functionality increasing.
The use of an integrated platform has been proven in several other parts of the organization, and it is time to demand this from the security area as well. Long-term operational cost savings, sustainability, and future-proofing far outweigh the perceived short-term gains of cash flow management. A connected security platform reduces capital and operating costs while vastly improving your security posture, satisfying both finance and security. In our recent study on security management platforms, respondents identified the platform as the most important and valuable part of the security system, surpassing endpoint protection, with a 66% increase in value since 2012. In the end, you need a security program by design, not by accounting policy.