Keeping pace in cybersecurity can feel like running on a treadmill where the speed is always increasing. Hundreds of thousands of new malicious programs are reported every day, and exploit campaigns have become sophisticated and diversified. The resulting high-profile breaches make headlines with disturbing regularity, driving a general consensus that more needs to be done. The billion-dollar question, of course, is, “More of what?”
Efforts to do more are not bringing the expected results. There is usually a rush to solve the problem, to do something, and decisions are made without enough thought about how that activity, various threats, and the organization’s current weaknesses fit together. This is compounded by the bewildering array of security solutions and incomprehensible jargon that make it difficult to determine what’s what, much less what’s right for you. To improve the likelihood that the products you choose will bring the protection that you want, you’ll need to develop a specific idea of what you’re looking to accomplish.
Evaluate organizational security posture
The first step is to understand your current situation. If you don’t know how to evaluate your organization from a security perspective, it can be difficult to understand whether your solutions are sufficient. Before spending more, clarify your motivation for improving security. Get to know your organization by asking:
- How many people are you trying to protect, how many are protected now, and what are you protecting them from?
- If you are concerned about a specific resource, do you know where it lives, and how it is transmitted or managed?
- How are these people and assets protected now, and why are you changing that model?
Develop security goals and determine needs
Look for reasons why you feel your organization isn’t secure enough and develop goals and metrics that will make you confident when they are achieved. If you’re stuck, take a look at what other companies in your industry are doing and use that as a basis for your own decision making. The point is to focus on the areas and best practices in security that have been proven effective for others and are most likely to be effective for you.
Once you’ve thought about where you would like to end up, develop an inventory of the assets you need to protect to get you there. Don’t equate buying security products and services with resolving your needs; they are enablers of your goals. For example, are you trying to increase security visibility? Increase control? Or reduce security overhead?
Asking and answering questions like these will help you move away from the trap of trying to protect everything from everything. In addition, you should limit your search to the products and features you are looking for to avoid buying more than you need.
Keep in mind that that executives and IT pros may not always see eye to eye when it comes to evaluating new solutions. To move forward, you need to get everyone on the same page in terms of priorities. Doing so brings focus and agreement about the company’s most pressing needs, and suggests relevant guideposts for measuring performance and progress.
At the start of any new security initiative, it's important to ask whether the risks you're trying to mitigate are the kind that will mean the loss of jobs, loss of revenue, and a hit on the organization’s reputation or have less significant consequences. The answer will make all the difference when it comes time to make tough but necessary choices.
After you’ve created clear priorities and a list of necessary capabilities, it’s helpful to get insights from other organizations who have publicly worked towards similar goals. The best input will come from organizations that are most like you in terms of size, industry, and investment.
You can also ask vendors about their experience and request references of customers solving similar problems. Present them your goals in detail and encourage them to explain the approaches they’ve taken with similar clients. You will learn how others view the problem, and their unique approaches may teach you something new.
Remember that security projects are not the only IT investments that can fail to deliver on their expected value, but sometimes those failures have consequences. Before you spend a dime on more security, develop clarity and leadership buy-in around your priorities and goals. Plan well, champion vocally, succeed incrementally, and know that each successful step moves the organization towards a more secure, stable, and informed position.
Jack Danahy is co-founder and CTO of the endpoint security company Barkly. A 25-year-veteran in the security industry, he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.