Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2017
11:00 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Maximize the Value of your Security Investments

How a 'security rationalization' process can help CISOs make the most out of their information security infrastructure, and also improve the company bottom line.

Over the past several years, cybersecurity has emerged as a massive market. With debilitating data breaches a common occurrence and cybercriminals more capable and organized than ever before, organizations of all sizes and industries have turned to security technologies to protect their valuable assets. According to Gartner, spending on cybersecurity products and services hit more than $80 billion in 2016, and recent research from Cybersecurity Ventures predicts that the global cybersecurity spend will exceed $1 trillion between 2017 and 2021.

It’s hard to deny the need for critical security tools. Unfortunately, all too often, organizations get swept up in the fast pace of the market and accumulate an abundance of tactical tools that end up only solving part of the problem (or overlapping with what they already have). Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases, or simply underinvest in crucial products or services.

No matter the reason – whether you’ve over-invested in security tools, under-invested, don’t know the extent of your security capabilities, or you’re facing new regulations that require you to demonstrate and continually maintain compliance – there is a path forward! The first step is to develop a security rationalization process to calculate the return on your security investments. Here’s how to get started:

1. Establish a goal.
While organizations’ end goals may vary slightly, every effective security rationalization should begin with the question, “How secure are we?” To begin the process, start by defining your desired goals and then work backwards to accomplish them. Examples of common goals include: understanding where sensitive data lives, establishing a baseline of infrastructure security configurations, and determining which applications are the highest risk. Equally important is establishing how secure your entire organization is, as well as how secure individual systems are - from application vulnerabilities all the way down to the source code level, (for example, GitHub Repositories).

Overall security is really defined by resiliency, and a way to establish the initial level is to take inventory of all of your current processes and schedules around code, application, and inventory scanning. Much like a fitness program, if you don't exercise on a regular basis, you will typically be less healthy. In security, if you don't test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low.

2. Take inventory.
By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply looking at software. You should also take an inventory of people and their skills, processes, and systems.

3. Classify tiers.
It’s crucial to classify all company systems and applications into multiple tiers based on needs and data sensitivity so that you implement the proper level and frequency of security testing. The classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection. 

4. Focus on outcomes
At this point, you’ll have pinpointed your organization’s cybersecurity gaps. When identifying these holes, however, it’s crucial to compare them to your initial objectives and business outcomes. For example, maybe you found you have a mission-critical order processing system that’s not getting scanned for vulnerabilities on a regular basis. Recognize that this cybersecurity weakness also makes it impossible to scan-certify your systems when rolling in patches and upgrades.

5. Fix it.
Almost all security rationalization processes find something amiss, lacking or broken. Rather than getting discouraged or alarmed when these results appear, keep moving forward. Get to work fixing the problem(s) in-house, hire professional services to solve the problem(s) for you, or invest in tools such as cybersecurity virtualization to fill in any holes as a service. 

The best security rationalization projects don’t just improve security. They enhance new, and more customer-centric ways of delivering services by seamlessly integrating security into the software development lifecycle. This is an important aspect to stress when you’re getting buy-in from your C-suite and board, which is critical for achieving the objectives of the rationalization project. Also, take time to establish scope, allocate resources and budget, and develop governing systems to maintain control and integrity during the process. Doing so will drastically improve the security of your environments, in addition to saving your organization valuable financial, technical and employee resources. 

Related Content:

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...