Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2017
11:00 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Maximize the Value of your Security Investments

How a 'security rationalization' process can help CISOs make the most out of their information security infrastructure, and also improve the company bottom line.

Over the past several years, cybersecurity has emerged as a massive market. With debilitating data breaches a common occurrence and cybercriminals more capable and organized than ever before, organizations of all sizes and industries have turned to security technologies to protect their valuable assets. According to Gartner, spending on cybersecurity products and services hit more than $80 billion in 2016, and recent research from Cybersecurity Ventures predicts that the global cybersecurity spend will exceed $1 trillion between 2017 and 2021.

It’s hard to deny the need for critical security tools. Unfortunately, all too often, organizations get swept up in the fast pace of the market and accumulate an abundance of tactical tools that end up only solving part of the problem (or overlapping with what they already have). Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases, or simply underinvest in crucial products or services.

No matter the reason – whether you’ve over-invested in security tools, under-invested, don’t know the extent of your security capabilities, or you’re facing new regulations that require you to demonstrate and continually maintain compliance – there is a path forward! The first step is to develop a security rationalization process to calculate the return on your security investments. Here’s how to get started:

1. Establish a goal.
While organizations’ end goals may vary slightly, every effective security rationalization should begin with the question, “How secure are we?” To begin the process, start by defining your desired goals and then work backwards to accomplish them. Examples of common goals include: understanding where sensitive data lives, establishing a baseline of infrastructure security configurations, and determining which applications are the highest risk. Equally important is establishing how secure your entire organization is, as well as how secure individual systems are - from application vulnerabilities all the way down to the source code level, (for example, GitHub Repositories).

Overall security is really defined by resiliency, and a way to establish the initial level is to take inventory of all of your current processes and schedules around code, application, and inventory scanning. Much like a fitness program, if you don't exercise on a regular basis, you will typically be less healthy. In security, if you don't test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low.

2. Take inventory.
By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply looking at software. You should also take an inventory of people and their skills, processes, and systems.

3. Classify tiers.
It’s crucial to classify all company systems and applications into multiple tiers based on needs and data sensitivity so that you implement the proper level and frequency of security testing. The classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection. 

4. Focus on outcomes
At this point, you’ll have pinpointed your organization’s cybersecurity gaps. When identifying these holes, however, it’s crucial to compare them to your initial objectives and business outcomes. For example, maybe you found you have a mission-critical order processing system that’s not getting scanned for vulnerabilities on a regular basis. Recognize that this cybersecurity weakness also makes it impossible to scan-certify your systems when rolling in patches and upgrades.

5. Fix it.
Almost all security rationalization processes find something amiss, lacking or broken. Rather than getting discouraged or alarmed when these results appear, keep moving forward. Get to work fixing the problem(s) in-house, hire professional services to solve the problem(s) for you, or invest in tools such as cybersecurity virtualization to fill in any holes as a service. 

The best security rationalization projects don’t just improve security. They enhance new, and more customer-centric ways of delivering services by seamlessly integrating security into the software development lifecycle. This is an important aspect to stress when you’re getting buy-in from your C-suite and board, which is critical for achieving the objectives of the rationalization project. Also, take time to establish scope, allocate resources and budget, and develop governing systems to maintain control and integrity during the process. Doing so will drastically improve the security of your environments, in addition to saving your organization valuable financial, technical and employee resources. 

Related Content:

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.