Threat Intelligence

5/12/2017
11:00 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Maximize the Value of your Security Investments

How a 'security rationalization' process can help CISOs make the most out of their information security infrastructure, and also improve the company bottom line.

Over the past several years, cybersecurity has emerged as a massive market. With debilitating data breaches a common occurrence and cybercriminals more capable and organized than ever before, organizations of all sizes and industries have turned to security technologies to protect their valuable assets. According to Gartner, spending on cybersecurity products and services hit more than $80 billion in 2016, and recent research from Cybersecurity Ventures predicts that the global cybersecurity spend will exceed $1 trillion between 2017 and 2021.

It’s hard to deny the need for critical security tools. Unfortunately, all too often, organizations get swept up in the fast pace of the market and accumulate an abundance of tactical tools that end up only solving part of the problem (or overlapping with what they already have). Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases, or simply underinvest in crucial products or services.

No matter the reason – whether you’ve over-invested in security tools, under-invested, don’t know the extent of your security capabilities, or you’re facing new regulations that require you to demonstrate and continually maintain compliance – there is a path forward! The first step is to develop a security rationalization process to calculate the return on your security investments. Here’s how to get started:

1. Establish a goal.
While organizations’ end goals may vary slightly, every effective security rationalization should begin with the question, “How secure are we?” To begin the process, start by defining your desired goals and then work backwards to accomplish them. Examples of common goals include: understanding where sensitive data lives, establishing a baseline of infrastructure security configurations, and determining which applications are the highest risk. Equally important is establishing how secure your entire organization is, as well as how secure individual systems are - from application vulnerabilities all the way down to the source code level, (for example, GitHub Repositories).

Overall security is really defined by resiliency, and a way to establish the initial level is to take inventory of all of your current processes and schedules around code, application, and inventory scanning. Much like a fitness program, if you don't exercise on a regular basis, you will typically be less healthy. In security, if you don't test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low.

2. Take inventory.
By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply looking at software. You should also take an inventory of people and their skills, processes, and systems.

3. Classify tiers.
It’s crucial to classify all company systems and applications into multiple tiers based on needs and data sensitivity so that you implement the proper level and frequency of security testing. The classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection. 

4. Focus on outcomes
At this point, you’ll have pinpointed your organization’s cybersecurity gaps. When identifying these holes, however, it’s crucial to compare them to your initial objectives and business outcomes. For example, maybe you found you have a mission-critical order processing system that’s not getting scanned for vulnerabilities on a regular basis. Recognize that this cybersecurity weakness also makes it impossible to scan-certify your systems when rolling in patches and upgrades.

5. Fix it.
Almost all security rationalization processes find something amiss, lacking or broken. Rather than getting discouraged or alarmed when these results appear, keep moving forward. Get to work fixing the problem(s) in-house, hire professional services to solve the problem(s) for you, or invest in tools such as cybersecurity virtualization to fill in any holes as a service. 

The best security rationalization projects don’t just improve security. They enhance new, and more customer-centric ways of delivering services by seamlessly integrating security into the software development lifecycle. This is an important aspect to stress when you’re getting buy-in from your C-suite and board, which is critical for achieving the objectives of the rationalization project. Also, take time to establish scope, allocate resources and budget, and develop governing systems to maintain control and integrity during the process. Doing so will drastically improve the security of your environments, in addition to saving your organization valuable financial, technical and employee resources. 

Related Content:

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11469
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
CVE-2013-7470
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
CVE-2019-11463
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml