A real-world approach to risk-based security planning

These days, simply investing in security technology isn't enough — more thorough planning is needed

It can be all too easy to deploy security technology and think you've mitigated risk to your business, but sadly technology investment in itself is no guarantee of protection against the latest threats.

A global study by the Ponemon Institute indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-on-year increase in malware incidents last year, with the average cost of a cyber-attack incurring a massive $6.1 million penalty. And according to a recent report by the Department for Business, Innovation and Skills in the UK, 87 percent of small businesses and 93 percent of large organizations experienced at least some form of security breach in the past year, while the cost of cyber breaches against those businesses has tripled over the past year.

[Security awareness: Is there a magic formula?]

In order to truly improve data security, every business must first consider a few key things: What are you protecting? What is it worth to you? What are you protecting it against? And what are the consequences of failure? These questions also need to be asked repeatedly and regularly — the shifting demands of employees, customers and other stakeholders together with evolving compliance standards cannot be resolved by point products alone, however sophisticated.

The modern data security challenge is made even more complex by employees accessing company resources internally and externally by any means at hand including untrusted cloud platforms and their own personal devices. Rarely intentionally malicious, these practices add intelligent identity management and granular user authentication as extra security overheads to a list that already includes data loss, malware, exploits, and hackers. These multi-layered risk and security challenges can only be met with a blend of technology, consultancy, commitment, resolution and a genuine willingness to adapt.

Businesses, however large and established in their own fields, should never be reluctant to turn to external partners for help with maintaining robust data protection, addressing industry compliance issues, and establishing a practical security strategy. Although integrity is always paramount, many large organizations simply cannot afford to take their eye off of their core business goals, and their internal resources often do not have the time to develop a practical approach to resolving information security challenges.

In the real world it is okay to ask for help and consultancy to resolve complex security, risk and compliance issues. Often third-party insight can prove critical in developing a complete end-to-end solution that is relevant and scalable, meets an individual business's specific objectives, and doesn't merely address generic issues, or push individual security components. Specialized consultants that constantly monitor the latest threats, have worked with a wide range of different firms, and tackled diverse security challenges before should always be able to embed themselves with internal experts and become integral members of an information security team. Sometimes a business just needs that extra layer of expert advice in order to gain the confidence to make security decisions at business, management and operational levels.

Data security concerns span every vertical sector, and all IT managers must continue to mitigate these issues by taking the smartest precautions that they can to manage them effectively and strike a balance between security, productivity and cost. A resilient, customized plan should certainly take into account perimeter security, intrusion detection and prevention, content security, authentication services, and web application security. But perhaps just as important is establishing a clear methodology. Improved visibility enables more informed investment decisions to be made across any organization. Greater efficiency in meeting a unique set of data security challenges helps to optimize the use of available resources. Greater understanding of threats and the best actions to combat those will help to balance risk management with commercial goals. A broader skillset and knowledge base gained from consulting an expert partner can help employees to work more confidently and with new technologies. Finally, tangible improvements and measurable successes lead directly to industry compliance with less work (meaning standards and regulatory needs are met without pain and stress).

A thoroughly planned, practical security strategy will always help to improve protection levels while also reducing costs. Businesses must take a risk-based approach; develop objective security plans that are prioritized and actionable; gain a better understanding of actual risks, costs and benefits; and then invest time, money and effort primarily in those areas that are of greatest value.

Achieving this will always demand cultural change, collaboration and measured partnerships and not merely a stack of sophisticated security equipment — but the rewards couldn't be higher.

Chris Camejo brings over 15 years of security experience. At Integralis, he directs assessment services including ethical hacking and compliance spanning multiple countries for global clients. He specializes in penetration testing and vulnerability scanning on the network and application layers, and has further experience conducting physical, telephone and phishing penetration testing. Chris holds numerous industry certifications.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)