Whether you agree or disagree with Darwin’s beliefs about evolution of humans, one thing that is clear is that Darwin’s models for evolution and natural selection apply very well to technology, which is, without doubt, evolving at a rapid rate.
Think about it. The World Wide Web was in its infancy 20 years ago, 10 years ago it was gaining adoption rapidly as web pages started to morph from electronic brochures to interactive ecosystems and now today the web is accessed more frequently from mobile devices than traditional computers.
One of the fastest evolving areas within technology though is information security. In just two decades we have evolved from the reactive solutions such as firewall to more proactive security techniques such as threat detection and response capabilities.
But then security has had to evolve because we’d be in a sorry state of affairs if the white hats did not try to keep up with the black hats.
But the ultimate question is. Are the white hats keeping pace with the black hats?
The answer is a resounding “no” and CIOs will most likely state the reason for this is “lack of budget”, but if we dig a little deeper it is likely that the root of the problem is not a lack of budget but a misallocation of allocated budget.
Firstly, it seems that one of the most common approaches to making information security purchases is similar to that of the football card collector - thinking of security as being a set of products and aiming for a complete set. Firstly organisations start with firewall, and add web filtering, spam filtering, anti-malware, two factor authentication, intrusion prevention, data loss prevention and so on and suddenly it feels as if there is a complete set. There are two problems with this model:
1. Not every organisation needs each piece of the set
2. Security is more than just the technology – it also consists of people and processes
Secondly, many organisations invest a lot of time, effort and money into gaining compliance.
Compliance has its merits, but often it only focuses on a small percentage of an organisation’s assets which are at risk (take PCI compliance for example which may help you secure card holder data, but has no controls in place for client contact information or top secret product blueprints) and compliance typically provides a minimum set of practices required to gain security. Real security involves going above and beyond what compliance covers.
Finally, many organisations focus predominantly on protection and worse still they apply their protective blanket to all assets. Protection works provided the asset being protected is more valuable than the cost of the protective measures in place and provided that the threats targeting those assets are already known. What happens when we have zero day threats or abuse by insiders who have legitimate access to those assets.
Protection, alone, is not enough. Detection and Response are required which is why SIEM is gaining a lot of interest and precisely why leading security service providers are offering proactive threat detection and response services for those organisations that are either struggling with, or don’t wish to embark on the path of, SIEM technology and the associated people and processes to make it work.
So, if focussing on a complete collection of protective information security technology and gaining compliance is not the answer, what is the best approach to budgeting for and spending on information security?
1. Start with identifying the assets. Technology changes frequently; your core business and its assets won’t. Start identifying those assets, the value of those assets and the likelihood and impact of threats compromising those assets. From this you will be able to build a risk profile that will tell you where you should be focussing your security efforts.
2. Identify the greatest risks and then consider whether those risks can be mitigated by people, processes and/or technology. This will give you the ability to take a project based approach rather than a technology based approach to solving security and will ensure that budget will only be spent protecting the critical assets
3. Implement each project in order of most critical to least critical.
And what of compliance requirements? By securing your most critical assets using the above approach, compliance will already be taken care of, and better still, your security will far exceed the minimum security requirements that compliance will dictate, leaving you with a better result at less cost.
Information security threats are evolving; as is technology and natural selection will ensure only survival of the fittest organisations. Use these approaches to ensure your information security projects also survive next time there are budget cuts.