Friday, May 21, 2021
BY: J.R Cunningham - Chief Security Officer
“No organization has the security budget to be good at everything. A security program should show you where to spend and why, and track your security maturity and compliance in real time.”
- Facing the Facts
- Persistent Challenges
- What You Need
- Industry Matters
- Modernizing Security Programs
1 – Facing the Facts
Security programs are stuck in the past. Aging frameworks like NIST, HIPAA, FISMA and PCI provide boxes to check, but compliance doesn’t equal security. No organization can be good at hundreds of “things to do” or afford to do all of them.
In addition, resources are scarce and budgets are limited (and scary stories no longer work to get more money). What works for one industry doesn’t work for another – consider the extremely different needs of manufacturers and healthcare organizations.
No matter how much an organization spends on security, it seems like the bad actors are one step ahead. Ask five vendors what to do, and you’ll likely get five different answers. Many organizations continue buying technology in hopes of increasing protection. Showing return on investment, however, is nearly impossible.
A sobering fact?
A security program doesn’t exist that makes you more secure, takes into account your current defenses, identifies the threats most likely to attack your industry, and respects your budget. Until now.
2 – Persistent Challenges
The old approach to security programs isn’t working. We continue to hear familiar concerns and requirements:
- I need help prioritizing security investments.
- Traditional assessments don’t work for us.
- I don’t want a checklist of 200+ things to do.
- I have to justify security projects to executives and the board.
- I don’t have a way to track maturity progress easily.
- I’d like to know what my industry peers are doing in this area.
- I’d like to talk to someone who has “been there, done that.”
- I want to be compliant and secure.
- I need visibility of my entire security program.
How does the old approach hold organizations back and limit security outcomes?
1 – Prescriptive frameworks
Every item seems to be equally important as you work your way through a list – No. 1, No. 2, No. 3 and so on – with no clear links to improving security.
2 – More is better
The notion of strengthening security “everywhere” to achieve high maturity in many or all areas – check, please! – is compelling but not realistic or necessary.
3 – Lack of clarity regarding new attack surfaces
Old frameworks don’t speak well, or at all, to cloud, mobile and digital transformation. No wonder spending decisions are difficult.
4 – Insufficient knowledge
Decision-makers are on a slippery slope without coordinated insights into security maturity, industry-relevant threats, and current defenses.
5 – Inadequate visibility
Technology overload compounds complexity and strains resources. There’s no way to pull it all together in one place, so you have to piece information together manually.
6 – Lack of trustworthy, reliable advice
Changing business conditions and industry nuances call for more than static assessments, generic recommendations or vendor lock-in.
3 – What You Need
The right vision can jumpstart a journey from old to new thinking about security programs. Start with what you need.
|Need to Know||Need to Learn||Need to Show||Need to Go|
|To spend security dollars most effectively||About the adversaries active in your industry||To justify future security initiatives||To strategic incremental improvements|
4 – Industry Matters
An industry-specific focus identifies high-priority security requirements, relieving the pressure and cost of “secure everything” thinking. When industry factors play a strong role in your program, you can speed up your maturity journey.
|Key Threats||Key Security Control Examples||Recommendation Examples|
|Healthcare||Ransomware, personal health information (PHI) compromise.||Network segmentation, bio-medical device security, vulnerability scanning||Data governance policy, PHI encryption, network access control policy|
|Retail/Hospitality||Ransomware, credit card breach||Endpoint (point of sale) security, tokenization, encryption, dark web monitoring||CDE encryption standards, vulnerability management policy and exception tracking worksheet, OWASP standards for developers|
|Manufacturing||Loss of intellectual property, factory floor availability||Industrial control systems security, behavioral analytics for robotic devices, third-party identity management||Contractor and third-party access policy, ICS/IoT scanning/passive discovery architecture, change control standards|
|Financial Services||Website spoofing, phishing||Cloud security posture management, SIEM, behavioral analytics, vulnerability management||Onboarding/offboarding identity policy, cloud security configuration standards, cyber risk register templates|
5 – Modernizing Security Programs
The new way of thinking about security programs hinges on organization-wide visibility and control and real-time information. Modern programs reflect all of the “what you need” points and incorporate industry-standard, well-known controls. Imagine being able to measure maturity on a scale of 1 to 5 and understand clearly which areas need to be a 4 or 5 and which, at 2 or 3, pose an acceptable risk. This is a progressive, sensible way to make decisions.
What makes a modern security program better and different?
- Program creation. Facilitates the design and build of customized security programs step by step with specific, actionable recommendations.
- Access. Enables you to view and manage your entire security program through a single pane of glass.
- Basics first. Highlights which controls are essential to satisfy your compliance and security objectives and which can be next level.
- Technology agnostic. Filters out technology noise by identifying what you don’t need anymore and what you need to fill gaps.
- Adaptability. Absorbs new controls and maps them to new or changing organizational and industry standards.
- Flexibility. Gives you the ability to dial up or dial down controls in particular areas.
- ROI based. Allows you to make the best use of money, time, and people considering program gaps, industry requirements, risk profile, and goals.
6 – Outcomes
Change can be hard, whether it affects habits, thinking or behavior. We also know that security programs can’t go on as they are. To recap, these are the benefits of letting go of the past.
- Improve Security Spend
Invest dollars where they matter most based on industry-specific factors, technology need, and level of effort.
- Avoid Security Pitfalls
Know which projects to avoid because they are expensive and destined to fail in certain environments.
- Prove Security Maturity
Track and show maturity progress over time – against well-known industry standards – to help justify security spending.
- Maintain Visibility
Unify, integrate and automate your security program in a single dashboard.
- Lower Risk Exposure
Take advantage of threat modeling to look at systems differently, home in on high-priority threats, and fortify defenses to protect your most valuable assets.
- Keep Up
Adapt quickly to new business initiatives, industry trends, and the changing cyber scape.
Are you ready to make every cybersecurity dollar count? Start with your security program. LEARN MORE