This post was originally published here by Jack Danahy.
Make the best use of security budget windfalls when they happen
In a given year, 90% of companies are going to get hacked or DDoSed. It might be ransomware, a data breach, or a denial of service, but damage is occurring and everybody is worried. As a result, three-quarters of large-enterprise IT managers are looking to increase their security investments in 2017, and they have plenty of choices. According to a recent Momentum Partners report, there are currently hundreds of established security companies, providing 16 different types of security capabilities, to choose from. What is a CIO or IT manager to do? She is hungry for more security, the budget has just opened up, and so many of these solutions could help. It is finally time to upgrade and advance. At this moment I recommend that the organization adopt…restraint.
Target Multiple Investments
When you are responsible for security management, your comfort level is like the horizon. It moves consistently away from you no matter how fast you improve. This is why security projects start with an attempt to push a single security technology or approach across an entire organization, whether it is authentication, data leakage, event monitoring, or red team testing. But your organization isn’t as flat and featureless as that. There are areas where you know the data is more private, the service is mission critical, or the employees are more prone to mistakes. To get the most leverage from your new investment use it to mitigate the most serious threats to your most vulnerable or valuable resources.
Deciding how much to invest, and where, can be a challenge.
Try this:
In 1947, Judge Learned Hand created the idea of the “calculus of negligence” to resolve an interesting tort law case. ( United States vs. Carroll Towing ). To the point, Hand judged that if the cost of preventing a loss (Prevention $) is less than the probability of the loss (Likelihood) occurring multiplied by the amount of the loss itself (Value $), then the offending party has been negligent. This kind of concrete mathematics is difficult in security, were both likelihood of attack or breach and the ultimate cost of the damage can be difficult to pin down. This is still a valuable model. From a relative perspective, it shows that investments should be made that will provide protection against risks to assets that are either rising in popularity as targets or are subject to new or innovative threats. Additional security dollars should be applied to those areas that most significantly improve protection for the organization, and organizations should look beyond their past best practices to validate their choices.
Think Beyond the Implementation
Reappraisal of security investments takes conscious thought. Most organizations will continue to add more money to areas where they are already spending, while also increasing funds for new potential protections. Much of this will happen without additional staffing, and this can lead to abandonment of some efforts and the underutilization of others. Osterman Research has found that roughly 30% of security investments end up unused or underutilized, and in many cases, this can be linked to a lack of time or expertise on the part of the staff that ends up charged with their operation.
Make sure that a staffing appraisal is a core part of any new security initiative to ensure long term value. Consider managed services as well as internal deployments, as they accounted for 45% of cybersecurity investments in 2016. Especially where expertise or availability is concerned, sensitivity to existing staff limitations can make the difference between improved protection and wasted investment.
Communicating for Success
Having thought through the right areas of investment and the most effective forms for integrating security, it’s time to create awareness and support for the plan. Take time to envision the ultimate outcome of the investment and the type of reporting and information sharing that will ensure its continued success. Compliance reporting alone is typically not sufficient, and can be limiting based on its binary (compliant/not-compliant) outcome. Instead, security performance that can be updated regularly will paint a clearer picture. Here are topics that are helpful and interesting for management:
Coverage
As discussed earlier, assets should be protected appropriately in consideration of their value and exposure. Coverage reporting can be done by developing an overlay of asset and protection type, including the risks you’ve managed. Include any unaddressed exposures, along with the nature of their vulnerability and additional effort or resources required to close them.
Protection Events
Nothing proves a solid security strategy more than a report on attacks or attempts that have been blocked, stopped, or detected. With breach detection often taking weeks or months, timely reporting on protection events and even breaches (ideally before third parties report them) show serious business value.
Savings
Security breaches and events cost money. Decreased downtime and operational tasks like reloading systems have measurable costs. Showing factual (improved) trends after implementing your new security controls produces a measurable balance for the new expense, and can encourage further investment where it would expand those savings.
Conclusion
New investment in security products should involve serious consideration before pulling the trigger. In most cases, there is not a simple ROI or user experience improvement to be promised, delivered, and measured. The value is more difficult to demonstrate, making choices more difficult to make and justify. And your decision carries more weight. If your organization wants to spend more, it is because it feels it needs to do more. Your security purchase will bring with it an easing of that sense of urgency. Once that dollar is spent and that security decision made, the organizational unease will go away, replaced by the comfort of knowing that more security is in place. So, when this chance arises, capitalize on it as an opportunity to talk about the goals of security, to learn more about the systems that the business sees as critical, and to integrate security more fully in the strategic growth of your company. You’ll be getting a solid return for the time you spend.
About the Author
Jack Danahy is co-founder and CTO at Barkly and a 25 year veteran in the security industry. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.
About Barkly:
Barkly is runtime malware defense that provides a last line of protection against attacks that make it through antivirus scans. Unlike scans, which work pre-execution, Barkly blocks malware at runtime by recognizing its malicious behaviour.
Photo:Brandon Hall Group