Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2017
11:00 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Maximize the Value of your Security Investments

How a 'security rationalization' process can help CISOs make the most out of their information security infrastructure, and also improve the company bottom line.

Over the past several years, cybersecurity has emerged as a massive market. With debilitating data breaches a common occurrence and cybercriminals more capable and organized than ever before, organizations of all sizes and industries have turned to security technologies to protect their valuable assets. According to Gartner, spending on cybersecurity products and services hit more than $80 billion in 2016, and recent research from Cybersecurity Ventures predicts that the global cybersecurity spend will exceed $1 trillion between 2017 and 2021.

It’s hard to deny the need for critical security tools. Unfortunately, all too often, organizations get swept up in the fast pace of the market and accumulate an abundance of tactical tools that end up only solving part of the problem (or overlapping with what they already have). Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases, or simply underinvest in crucial products or services.

No matter the reason – whether you’ve over-invested in security tools, under-invested, don’t know the extent of your security capabilities, or you’re facing new regulations that require you to demonstrate and continually maintain compliance – there is a path forward! The first step is to develop a security rationalization process to calculate the return on your security investments. Here’s how to get started:

1. Establish a goal.
While organizations’ end goals may vary slightly, every effective security rationalization should begin with the question, “How secure are we?” To begin the process, start by defining your desired goals and then work backwards to accomplish them. Examples of common goals include: understanding where sensitive data lives, establishing a baseline of infrastructure security configurations, and determining which applications are the highest risk. Equally important is establishing how secure your entire organization is, as well as how secure individual systems are - from application vulnerabilities all the way down to the source code level, (for example, GitHub Repositories).

Overall security is really defined by resiliency, and a way to establish the initial level is to take inventory of all of your current processes and schedules around code, application, and inventory scanning. Much like a fitness program, if you don't exercise on a regular basis, you will typically be less healthy. In security, if you don't test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low.

2. Take inventory.
By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply looking at software. You should also take an inventory of people and their skills, processes, and systems.

3. Classify tiers.
It’s crucial to classify all company systems and applications into multiple tiers based on needs and data sensitivity so that you implement the proper level and frequency of security testing. The classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection. 

4. Focus on outcomes
At this point, you’ll have pinpointed your organization’s cybersecurity gaps. When identifying these holes, however, it’s crucial to compare them to your initial objectives and business outcomes. For example, maybe you found you have a mission-critical order processing system that’s not getting scanned for vulnerabilities on a regular basis. Recognize that this cybersecurity weakness also makes it impossible to scan-certify your systems when rolling in patches and upgrades.

5. Fix it.
Almost all security rationalization processes find something amiss, lacking or broken. Rather than getting discouraged or alarmed when these results appear, keep moving forward. Get to work fixing the problem(s) in-house, hire professional services to solve the problem(s) for you, or invest in tools such as cybersecurity virtualization to fill in any holes as a service. 

The best security rationalization projects don’t just improve security. They enhance new, and more customer-centric ways of delivering services by seamlessly integrating security into the software development lifecycle. This is an important aspect to stress when you’re getting buy-in from your C-suite and board, which is critical for achieving the objectives of the rationalization project. Also, take time to establish scope, allocate resources and budget, and develop governing systems to maintain control and integrity during the process. Doing so will drastically improve the security of your environments, in addition to saving your organization valuable financial, technical and employee resources. 

Related Content:

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9678
PUBLISHED: 2019-09-18
Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packet. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for v...
CVE-2019-9679
PUBLISHED: 2019-09-18
Some of Dahua's Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time i...
CVE-2019-9680
PUBLISHED: 2019-09-18
Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-...
CVE-2019-9677
PUBLISHED: 2019-09-18
The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X fo...
CVE-2019-14458
PUBLISHED: 2019-09-18
VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.