The Security Investment Dilemma

I recently had the opportunity to attend the ABHS Leadership Program (ABHSLP) Leadership Development Conference. I had the opportunity to spend time with over 100 of our L2 managers representing every segment of sales, marketing, and customer service. The conference generated an impressive amount of energy – from the group and from each of the terrific individuals who were chosen to participate in this year’s program leadership development conference. Although the conference was not about information security, a talk about personal energy management inspired me to write this post. Surprisingly, I discovered a great parallel to the security world.

While I was listening to Jenny Evans of Human Performance Institute talk about why should we wait for the worst to happen before making a needed change, I realized that in the security space, we tend to do the same thing.

Unfortunately, we have seen many organizations focus time and money on security after they have suffered a data loss or had a reputation/brand impact due to security breaches. We often hear the advice to take a proactive approach rather than a reactive approach, but tend to ignore the obvious value of a proactive approach.
At the heart of any successful initiative is a well-defined process. Clear objectives, metrics, process flows, and role definitions ensure consistency and enable continuous improvement.

Before you embark on a proactive, and preemptive, security strategy, here are few tips to help with your journey:

1. Knowledge is power

Organizations today need to recognize that their security is going to be compromised. A comprehensive approach must take into account that prevention is ideal, but detection is essential. In order to provide proper protection, an organization must have a list of all critical information and business processes that utilize that information, with all of this mapped to systems within the environment.

An organization cannot protect what they do not know. If the offense knows more than the defense, an organization will lose. Once accurate information is gathered, everything in security must map back to risk.

Before an organization spends a dollar of their budget or an hour of their time on security, it should always answer three questions:

  1. What risk are we addressing?
  2. Is this the highest priority risk we have?
  3. Is it the most cost-effective way to reduce the risk?

2. Executive Support Critical to Success

The need for executive management support may be an obvious point, and it may be the most important success factor. If the organization’s leadership team is not ready to dedicate resources to security and risk assessment, discuss risk tradeoff decisions openly, and have business owners sign-off on acceptable risk, then a bit of ‘internal marketing’ may be needed. The business case for risk management will need to be communicated so the benefits of a proactive, risk-based security program are understood.

3. Dedicate Sufficient Resources

Related to executive support, it is essential that the Chief Security Officer dedicate sufficient resources for the annual risk prioritization and budgeting process. Demands vary by team size and industry; however, a single leader should be identified to own the process and be given sufficient time to facilitate evidence collection, initiate risk discussions with business leaders, and develop deliverables to make informed decisions.

4. Gain Visibility through Metrics

Metrics provide visibility, accountability, and demonstrate the value of the security program. The following are some baseline metrics to consider:

  • Percent of business lines involved annually (or semi-annually) in risk assessments, including IT
  • Number of risk assessments performed
  • Number of incidents not covered in existing risk assessments or miscalculated

The cyber threat continues to evolve and disguise itself with ingenious techniques to circumvent most traditional information security programs. To mitigate the risks of these advanced threats effectively, organizations should expand their current capabilities to include proactive, continuous monitoring, while enhancing existing security practices to leverage cyber intelligence.

Is your organization waiting for a catastrophe to happen before developing a security program? Or are you taking a proactive approach to avoid a damaging event?
Bindu Sundaresan Strategic Security Solutions Lead AT&T About Bindu