“No organization has the security budget to be good at everything. A security program should show you where to spend and why, and track your security maturity and compliance in real time.”
Security programs are stuck in the past. Aging frameworks like NIST, HIPAA, FISMA and PCI provide boxes to check, but compliance doesn’t equal security. No organization can be good at hundreds of “things to do” or afford to do all of them.
In addition, resources are scarce and budgets are limited (and scary stories no longer work to get more money). What works for one industry doesn’t work for another – consider the extremely different needs of manufacturers and healthcare organizations.
No matter how much an organization spends on security, it seems like the bad actors are one step ahead. Ask five vendors what to do, and you’ll likely get five different answers. Many organizations continue buying technology in hopes of increasing protection. Showing return on investment, however, is nearly impossible.
A sobering fact?
A security program doesn’t exist that makes you more secure, takes into account your current defenses, identifies the threats most likely to attack your industry, and respects your budget. Until now.
The old approach to security programs isn’t working. We continue to hear familiar concerns and requirements:
How does the old approach hold organizations back and limit security outcomes?
1 – Prescriptive frameworks
Every item seems to be equally important as you work your way through a list – No. 1, No. 2, No. 3 and so on – with no clear links to improving security.
2 – More is better
The notion of strengthening security “everywhere” to achieve high maturity in many or all areas – check, please! – is compelling but not realistic or necessary.
3 – Lack of clarity regarding new attack surfaces
Old frameworks don’t speak well, or at all, to cloud, mobile and digital transformation. No wonder spending decisions are difficult.
4 – Insufficient knowledge
Decision-makers are on a slippery slope without coordinated insights into security maturity, industry-relevant threats, and current defenses.
5 – Inadequate visibility
Technology overload compounds complexity and strains resources. There’s no way to pull it all together in one place, so you have to piece information together manually.
6 – Lack of trustworthy, reliable advice
Changing business conditions and industry nuances call for more than static assessments, generic recommendations or vendor lock-in.
The right vision can jumpstart a journey from old to new thinking about security programs. Start with what you need.
|Need to Know||Need to Learn||Need to Show||Need to Go|
|To spend security dollars most effectively||About the adversaries active in your industry||To justify future security initiatives||To strategic incremental improvements|
An industry-specific focus identifies high-priority security requirements, relieving the pressure and cost of “secure everything” thinking. When industry factors play a strong role in your program, you can speed up your maturity journey.
|Key Threats||Key Security Control Examples||Recommendation Examples|
|Healthcare||Ransomware, personal health information (PHI) compromise.||Network segmentation, bio-medical device security, vulnerability scanning||Data governance policy, PHI encryption, network access control policy|
|Retail/Hospitality||Ransomware, credit card breach||Endpoint (point of sale) security, tokenization, encryption, dark web monitoring||CDE encryption standards, vulnerability management policy and exception tracking worksheet, OWASP standards for developers|
|Manufacturing||Loss of intellectual property, factory floor availability||Industrial control systems security, behavioral analytics for robotic devices, third-party identity management||Contractor and third-party access policy, ICS/IoT scanning/passive discovery architecture, change control standards|
|Financial Services||Website spoofing, phishing||Cloud security posture management, SIEM, behavioral analytics, vulnerability management||Onboarding/offboarding identity policy, cloud security configuration standards, cyber risk register templates|
The new way of thinking about security programs hinges on organization-wide visibility and control and real-time information. Modern programs reflect all of the “what you need” points and incorporate industry-standard, well-known controls. Imagine being able to measure maturity on a scale of 1 to 5 and understand clearly which areas need to be a 4 or 5 and which, at 2 or 3, pose an acceptable risk. This is a progressive, sensible way to make decisions.
What makes a modern security program better and different?
Change can be hard, whether it affects habits, thinking or behavior. We also know that security programs can’t go on as they are. To recap, these are the benefits of letting go of the past.
Are you ready to make every cybersecurity dollar count? Start with your security program. LEARN MORE