IBM’s X-Force research and development team declared 2011 to be the “Year of the Security Breach” based on an explosion of successful attacks and the emergence of more sophisticated attack techniques. Since then, news of security breaches at large and small organizations across various industries has become commonplace. Information technology (IT) security teams who once struggled to justify further investments are now finding their requests being granted — if not bolstered.
Power and Responsibility in Security Investments
While security teams can rejoice in their apparent reversal of fortune, they now have the attention of their respective organizations. With that attention comes new expectations about a safer enterprise network environment. Security teams face increasing pressure to not only keep their enterprises out of the headlines, but also to highlight the value of their security investments in affording greater business flexibility. Unfortunately, the frequency of cyberattacks shows no signs of abating.
Another cold reality is the all-too-common need to first shore up existing or legacy security infrastructures that were weakened due to a prior lack of appropriate funding. This limits the natural inclination to be more aggressive and modernize the organizational security posture. If it is accepted that complete security is neither attainable nor feasible, then the efficacy of an organization’s security posture relative to its peers can significantly influence its attractiveness as a target.
Of course, judicious use of the financial resources available to security teams has always been required, but now, the stakes have gotten higher. Old assumptions should be revisited, and a more nuanced analysis of each organization’s threat landscape should be performed.
Cognizance of certain trends will aid in formulating the ideal strategy for security investments. While still highly fragmented and quite dynamic, the security industry as a whole is maturing and consolidating, which is leading to fewer and better integrated solutions. At the same time, the motivations of malicious actors and more sophisticated attack methods require this new generation of cybercriminals to extract value proportionate to the resources they expend. If there is a silver lining of sorts, it’s that security is now a growing profession and not just an extension of IT operations and management. Nevertheless, while the availability of expertise is still outpaced by market demand for these new skills, security knowledge is certainly growing.
Closely assessing the significance of these security trends would suggest the following recommendations for optimizing an organization’s security investment strategy:
1. Specialize in Security Operations
Security teams need to specialize in security operations, not system integration. Previously, security teams invested in best-of-breed solutions focused on security niches, which left the door open to attackers to exploit vulnerable integrations. Numerous security projects failed to deliver operational value simply because the integration exercise was too complex or resource-intensive to perform during deployment. Given that the security industry is consolidating, security teams can refocus their efforts on security operations and outsource the system integration exercise to their security solution providers. While there is still value to security through diversity, it needs to be evaluated against the efficacy and cost-effectiveness of integrated security solutions.
2. Map Threat Surface Area Based on Risk
Take time to map out your organization’s threat surface area based on quantifiable risk to stakeholders, who can range from customers to employees and owners. This exercise allows a security team to identify the critical identities, systems, network elements, data and applications that need to be safeguarded. At a minimum, this allows for the prioritization of investments such that defensive measures are deployed to the most attractive targets at an organization so that malicious actors are disincentivized.
3. Place Investment Focus on Security Knowledge
Remember to acquire security knowledge, not just tools. Investments purely in technology assets often have disappointing results. Organizations need to acquire the expertise to operate advanced technologies and/or invest in solutions that provide a greater degree of automation built on a foundation of security knowledge. Additionally, security can only be enhanced when practicing defense in ranks. For example, collecting information from third-party security researchers or even governmental organizations can greatly improve security operations. Turning this knowledge into action will improve the effectiveness and responsiveness of the organization’s cybersecurity apparatus.
From your experience, what advice do you have to help organizations optimize their investments in cybersecurity?