By Mat Gangwer, CTO, Rook Security
The uptick in the number of data breaches in the recent months has placed more focus and attention on companies’ security processes and programs. It is critical to begin planning and executing a security program with the proper tools in place to efficiently block, notify, and respond to threats while effectively controlling security resources and utilization to meet dynamic demands.
Since the 1980s, when security pros began to rise to combat hackers connecting through dial-in modems, technology-led approaches have left boards and executives unprepared. Security has struggled to demonstrate that it can quantify why it continues to fail to protect organizational data. Instead, it is critical to create a comprehensive security program that integrates people, processes, and technology.
When creating an IT security program at your organization, it is crucial to demonstrate that you understand your board’s expectations when it comes to IT and security investments. These investments must be the right size, measurable, and scalable at a moment’s notice to effectively address emerging threats—or to decrease the investments made in lower-priority initiatives.
In a survey conducted by Rook Security, a number of professionals including Board Members, CEOs, CFOs, CIOs, CISOs, GCs, Controllers, and Procurement were asked four questions:
- How would you define “success” for your security program?
- What is the biggest barrier to the perception of success of your security program?
- What needs to change to improve perception of success?
- What is the biggest opportunity to improve the capabilities of the program?
Based on the responses, 10 attributes came to surface. Keeping mind the 10 items listed below will help in structuring or improving your security program.
- Visibility: All critical pieces of data should be aggregated and collected for analysis.
- Intelligence: Enrich key data points to provide more context and reduce copy-paste work performed by security operations staff.
- Resource Throttling: Security resources should be working on high value-add activities, and shifted immediately if necessary.
- Outcome-based Metrics: KPI’s should be derived based on desired objectives and outcomes, for example (Time to Detect and Time to Respond).
- Real-time Scalability: Security staff and tools need to be scalable at a moment’s notice to deal with possible influx of tickets and incidents.
- Cloud Options (public and private): Security solutions need to provide coverage to both on-premise resources and cloud resources.
- IR Capabilities On-premise, Remote, and Cloud IR Capabilities On Demand: Response capabilities and processes need to be adjusted for handling incidents in cloud environments and remote locations.
- Cloud Enablement Controls: Local security controls should be extended to cloud resources, making sure equivalent coverage is maintained.
- Approved Cloud Vendors By Category: All third-party cloud vendors should undergo review for data privacy and protection policies. Approved vendors should be communicated internally with staff.
- Monitoring of Cloud Security Controls Integrated With Core SOC Monitoring Capabilities: Security controls should be constantly monitored, and if drift is detected against the baseline, security operations staff should be notified.
The shortcomings of security programs in the past have created a great opportunity for executives to differentiate their new program strategy and to create business value in ways that they couldn’t before. Across all industries, large business-to-business partnerships have been disrupted, and clients have realized competitive advantage through crises that were reported at the board level, sometimes even when incidents required SEC reporting.
Their ability to understand the human factors associated with crisis response, through understanding marketing, psychology, finance and legal, have helped these leading executives accomplish what was previously thought impossible. And as a result, they know and understand the key components needed to renew trust from their executive peers and the board, and can demonstrate how security investments can establish positive momentum for their business.