Whenever creating a budget, there is always the rainy day fund or the contingency account in case of unexpected circumstances. But what if those circumstances are a data breach that is bigger than you could have ever imagined? And you don’t have cyberinsurance?
Sure you might be up the proverbial creek without a paddle but fear not as some security pros are willing to throw out a lifeline to help you at least get your head above the water with some sage advice.
The common theme when asked about where to cut corners was to make sure your policies and procedures are sewn up tight. There are really no corners to cut but more about having solid policies in place.
[ RELATED: How to optimize your security budget ]
Rick Howard, CSO at Palo Alto Networks, said the best thing CISOs can do to bolster their Information Security Program in times of budget shortages is make sure the prevention controls they already have in place are working the way they thought they were going to work when they originally bought and installed them.
“A great truism to our industry is that many of us Network Defenders like to spend money on all kinds of shiny new playthings to defend our networks but fail to make time to get them fully deployed,” he said. “These prevention controls are complicated systems. You can’t simply hook them to your network, turn them on and walk away. Somebody has to maintain them. Somebody has to analyze the data coming out of them. Somebody has to ensure that all the features that the CISOs thought they were buying are actually turned on and working correctly.”
When you are strapped for cash but still want to improve your Information Security Program, spend some time getting to know the already deployed prevention systems.
Stan Black, CSO at Citrix, said organizations short on budget can perform simple but effective security checks like making sure admin logins and passwords aren’t in use, network and access policies are up-to-date and compliance regulations are being met. Performing employee trainings on how to uphold security best practices for their own safety, as well as the company's, can enormously help reduce risk and only costs time.
In other words Black is saying by keeping things secure inside the network, it can help in preventing any matters that are worse outside from getting in.
“Any recipe for reducing security spend starts with three common areas to reduce operational expense and frankly slow your business down to reduce overall risk. The first area is application security testing, a decade or so ago we used to build our own capabilities with huge OpEx and CapEx requirements. Third party application testing provided the cumulative knowledge of many customers in a single pane of glass. If you want to reduce remediation cost, tie testing tools to CBTs and a comprehensive knowledge base to teach developers to develop secure code,” Black said.
Another area to drastically lower OpEx is threat management. The number of threat actors grows every day, there are several firms that have tuned their offerings to enumerate threat actor activity relevant to your company. On the other hand, there are many providers that offer threat information regarding the universe of risk; that's nice but we focus on our company and our customers. Careful assessment of customization to your supply chain will reduce the noise and enable your team to focus on remediation, not identification. Effective threat intelligence also enables remediation and fortification of real threats, not the millions of unauthorized “pings” enterprises are subject to every minute of every day, he said.
A third topic that can be lost in the new product security market is traffic enumeration. If you don’t create, trust, or can’t validate network traffic, you are at risk. Quantification of the known good, untrusted, and unknown traffic costs nothing except time, but for some reason industries want to buy more tech to tell them they have another network threat, he said.
Jeff Schilling, CSO, Armor
Gareth O’Sullivan, director of solutions architect – EMEA at WhiteHat Security, said maintaining a secure environment is not simply about adding more security products. It can be argued that no single solution can be a silver bullet to achieving security, certainly not in isolation. If a company, security executive or manager finds themselves in a position where they are questioning their existing security posture or policy, this should be cause for concern or taken as an opportunity to reappraise existing policies or programs. Expenditure on security products needs to be conducted in the context of an overall risk management policy which in turn needs to support an organization's core business activities.
Reduce duplication
Ravi Devireddy, co-founder and CTO at E8 Security, said, regardless if budget constraints are a factor, a good practice for all organizations is to eliminate operational redundancies in their security practice. Most organizations spend too much time, and money, investigating low-level alerts that are scattered across multiple management systems, which increases their investigative costs per incident.
The best way to reduce unnecessary spend is to ensure all security relevant data – generated by network systems, applications, and endpoints – are being captured in one centralized system that can automatically prioritize alerts based on risk. Also, by providing security analysts the ability to visualize the relationships between targets will allow for a more streamlined security practice, eliminating redundant investigative tasks and making sure security teams capture the right information in one location, he said.
“Evaluate all existing programs and policies. Prioritize those strategies that focus on identifying an attackers’ presence based on behaviors and movements that are not considered normal for your organization, and containing that activity as quickly as possible,” he said.
There is a proliferation of enterprise cybersecurity products in the market that often have overlapping and confusing value. It is possible that even if organizations add and deploy additional products, they still may not be more secure today than they were yesterday — or may in fact be less secure and reliable given the additional complexity. Organizations should develop and very critically maintain an enterprise security architecture that is intended to meet corporate requirements, and can be used to understand risks and position potential solutions. If this architecture isn’t in place or isn’t current, now is the time to start, said Andrew Wertkin, CTO at BlueCat Networks.
Organizations may find that they have deployed duplicative capabilities across multiple product sets, and they almost certainly will find that they aren’t leveraging their existing investments. This has led to new product capabilities to leverage the power of DNS, a mission critical service for the enterprise, to create immediate visibility to compute, and add to the security posture of the organization without introducing new infrastructure or change the physical architecture.
O’Sullivan adds that while acquiring new software or solutions requires budget due to a defined cost, reviewing and updating policy will have also have an implicit cost. Efficiencies can be made by regularly updating policy and ensuring it is inline with company goals. For example in the context of building secure software, adopting a security framework which enables ‘building security in, rather than bolting it on’ can help drive costs down and improve efficiencies by enabling the organization to learn how to build secure software or find and fix vulnerabilities early.