Cybersecurity isn’t getting any easier. Data breaches are growing in frequency, scope and the level of damage they inflict. Cyber criminals have become increasingly savvy and sophisticated, which means organizations have to work harder than ever to maintain (let alone improve) their security posture. Today, they have to engage a broader swath of the workforce to take responsibility for cybersecurity.
The good news is, there are plenty of tools available to help. But more tools don’t necessarily mean more security. All too often, organizations are swept up in the fast pace of the market and end up accumulating an abundance of tactical tools that only solve part of the problem, overlap with what they already have or just go underused. These tools usually require manual execution, which just exacerbates the dire cyber engineer shortage. Alternatively, some organizations become overwhelmed by the vastness of the industry and resort to a deer-in-the-headlights approach; they don’t know where to begin, so they postpone any major purchases or simply underinvest in crucial products or services.
No matter the reason—whether you’ve over or under-invested in security tools, don’t know the extent of your security capabilities or you’re facing new regulations that require you to continually demonstrate and maintain compliance—there is a path forward. To do this, you need to answer five key questions:
1. What’s your objective?
Of course, everyone wants to be more secure, but that’s too vague to drive meaningful improvements. You must define your desired security goals with metrics that are both specific and measurable. For example, do you focus on understanding where sensitive data lives, establishing a baseline of infrastructure security configurations or determining which applications are the highest risk? An equally important goal is to form an overall sense of your organizational security, as well as how secure individual systems are, from application vulnerabilities all the way down to the source-code level (for example, GitHub repositories).
2. What do you have?
Overall security is essentially defined by resiliency, which is the ability to prevent and/or respond to application and infrastructure attacks, coupled with rapid remediation. One way to establish your initial resiliency level is to take inventory of all of your current processes and schedules around code, application and inventory scanning. For example, if you don’t test/scan for vulnerabilities on a continuous basis, your level of resiliency will be low. By taking stock of your existing portfolio of tools and services, you will expose any gaps in coverage as well as any technology overlap. Be sure to do more than simply look at software. You should also take an inventory of people and their skills, processes and systems.
3. What’s important?
Once you’ve completed the inventory, it’s crucial to classify all company systems and applications into tiers based on needs and data sensitivity, to ensure you implement the proper level and frequency of security testing. This classification process, which should be performed frequently, will give you greater insight and visibility across all of your infrastructure. For instance, perhaps your Tier 1 needs a system of cybersecurity tools that Tier 2 doesn’t require. Or, maybe you have an additional tier that doesn’t fall into any one category, and it needs its own subset of tools or protection.
4. What are you trying to accomplish?
Once you’ve uncovered your cybersecurity gaps, it’s time to go back to your original objectives. Create an action plan which maps to and is measured against your desired business outcomes and security posture. For example, let’s say you identified a mission-critical order processing system that’s not being regularly scanned for vulnerabilities. You can now understand how this security weakness makes it impossible to scan-certify your systems when rolling in patches and upgrades.
5. What’s not working?
As you go through this process, you’ll find things in your systems and workflows which are misaligned, lacking or broken. The important thing is to keep the momentum of your vulnerability management moving forward. Don’t get mired in retrospective analysis, focus on the fix. You can do it yourself, hire professional services or invest in a platform to deliver a strategic framework for remediation.
Improve Your Security Posture… and Much More.
When you ask the right questions, you can methodically establish scope, then plan and budget accordingly. You can develop governing systems to maintain control and process integrity, which will improve your overall security posture and help you better allocate valuable financial, technical and employee resources to deliver services in new and more customer-centric ways. With this perspective in mind, security shifts away from being a requirement, or a type of overhead, to an enabler. Stressing this aspect of the initiative to the C-suite and board can help win buy-in and needed resources.