As the need for stronger network protection grows ever more urgent, many organizations are studying their security strategies and wondering whether rapidly evolving threat vectors have rendered their existing plans obsolete. This observation often leads IT and business leaders to ask themselves a critical question: is it best to keep updating an existing security strategy or to simply start over from scratch?
There are several instances when an organization may want to consider creating an entirely new network strategy rather than updating the current one, said Frank Downs, director of the cybersecurity practice at ISACA, an international professional association that's focused on IT governance. "One of the most significant [motivations] is an attack that reveals that the fundamental elements of the strategy are weak, indicating that a complete overhaul should be considered," he observed. "An example of this type of incident includes an attack that impacts data in motion within the network and as it leaves the network, such as a man-in-the-middle attack at a gateway point."
Organizations should also consider developing an entirely new network security strategy when there has been significant change within network architecture or when business goals and objectives have shifted direction, suggested Derek Loonan, a senior security specialist at cybersecurity services provider GreyCastle Security. "For example, moving to a new location or being part of an acquisition." Loonan noted that to implement and prioritize the controls that will provide the most risk reduction, a security strategy should align directly with the organization’s risk management program. "Strategy should be visualized and managed against a high-level roadmap that depicts the desired end-state within a three to five-year period," he said.
The network security landscape is undergoing a transition resulting from changes in the underlying traffic patterns, observed Jeff Reed, senior vice president of product management in Cisco's security business unit. "With apps and data moving to SaaS, IaaS and PaaS, coupled with increasing user mobility and the acceleration of SD-WAN, it's important to reevaluate what network security controls are being used and where they are being placed."
Prof. Tom Thomas, a faculty member in Tulane University's School of Professional Advancement and its IT cybersecurity program, noted that a complete strategy replacement might be needed when spinning up an entirely new infrastructure. A fresh start may also be necessary when an organization's existing plan becomes so complex and intertwined that creating a fresh strategy becomes the only sensible course. "In this case, you would build the new security infrastructure in parallel with the old and migrate in phases," he explained. "This also allows for plenty of testing, which is always important."
Yet another reason for starting anew is when a security infrastructure grows so old and decrepit that it can't function properly in a modern security environment or is likely to degrade network service in some way. "This is a rip and replace because what is currently in place is so lacking in capabilities that there is little to no value in undergoing a migration," Thomas said.
Jack Hamm, director of security and network operations for network security firm Gigamon, argued that a fundamental flaw in many network security plans is that they're built as overlays onto an existing network plan. "This is a bad strategy since it somehow implies that you can build a network and add security," he advised. Buildings, after all, aren't constructed by starting with the end goal and then adding the foundation. "Similarly, network security strategies that follow this approach are doomed," Hamm stated.
Laurence Pitt, security strategy director for Juniper Networks, cautioned that enterprises shouldn't be too hasty about discarding an existing security blueprint. "This is not to say that the existing strategy will have anything that can be salvaged, but to entirely rip-and-replace for something new will slow down the ability to respond and will cause confusion," he explained.
Pitt suggested stripping an obsolete security strategy back to its foundation and then building it back up. "While [the old plan] may be out of date or seen as ineffective, there will be areas that still work, and these can and should be updated rather than recreated," he reasoned. "This would allow for more focus to be given to entirely new areas, such as IoT protection or implementation of automation technologies."
Network security strategy should be reviewed yearly since both the security market and the relative threats are in a constant state of change, Reed said. "Every two years an entirely new strategy should be evaluated ... to understand what gaps, if any, exist and what opportunities are available for your organization," he noted. "For nearly all modern businesses, networks are the lifeblood, and they simply can't afford to be ill-prepared for the ever-increasing landscape of threats."