What defines a mature IT security operation?

Mature security is not the direct result of the amount of money spent. Rather, it depends primarily on focus and good fundamentals.

RSA recently published its inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.

It would appear that the lack of focus on information security is a top-down problem. TechDirt reported this week that the United States' CIO ordered all government web sites to implement SSL by the end of next year. SSL is not exactly a new idea, and yet the U.S. government is just now getting around to it, and may fix it by next year, if the deadline does not get extended, and if they don't use a vulnerable version of SSL/TLS. I have also spoken to a number of customers with known web application issues, who just have not gotten around to fixing them. Folks, we have a problem.

The revelations above, along with the recent news about the government employee breach, made me wonder why corporate America is not fixing their cybersecurity problems. If I had a major revelation on this topic, I might be able to write a book and retire comfortably. I would offer, however, that part of the problem is simple and fundamental (there goes my book deal), stemming from the perception on the part of company management that good security requires the expenditure of large sums of money. As a result, some companies throw money at the problem, and don't get the return they expect. Others decide they can't spend the money, and hope becomes their security plan.

A few years ago, I managed security for a busy and highly regulated and audited credit bureau, with no recorded data breaches and a very modest security budget. What I have learned from experience is that good information security only has an indirect relationship to the amount of money spent. You can't win by throwing money at it, any more than you can by ignoring it.

So, how can you have a secure operation without emptying the corporate bank account? It starts with good fundamentals, and a daily focus. The following are some of the elements:

Involvement by company leadership

Security maturity begins in the boardroom. Company management must acknowledge information security as a priority, and support the IT team in its implementation. While a fortune is not required, it isn't free either, so they must come up with some money to address the issue.

Someone in charge

There must be someone, staff or service provider, with whom the IT security buck stops. This job is not a good candidate for shared responsibility, as it requires far too much focus. At present, this responsibility often falls on the IT head. Having been an IT head for many years myself, I recognize the futility of this approach. An IT director or VP must by definition be a generalist. Such a person cannot also be a security specialist.

A defined budget

While maturity is not defined by the size of the budget, the infosec budget must be segregated and discreet from overall IT expenditures. If it ever comes down to choosing security or purchasing new laptops, security will always lose.

Good art work

By this I mean network and data flow diagrams making clear how data moves in an organization. The importance of this cannot be underestimated. I have been working this week with a PCI customer on a firewall review. I was struggling to get a clear picture of how their many firewalls fit into the operation, until they sent me their network diagrams, which I printed on large paper in full color. They answered more questions that would fit in 100 email messages.

One of the key principals of data protection is knowing what assets you have, and what they are worth. A picture in this case is truly worth a thousand words.

Tools that get used

Too often, we treat information security like the game "he who dies with the most toys, wins." Beyond the basics like firewalls and malware software, expensive tools are not essential. Such investments must be viewed as automating what can be done manually. When the tool becomes less expensive than the equivalent cost of man hours, you buy the tool. Regardless of what tools you buy, however, they must get used. In a recent post, I mentioned the term "shelfware," defined as security tools that sit on the shelf, or are not used to their full potential. If you buy it, get the full return on your investment.

Detailed recordkeeping and planning

At times, I think that terms like "incident response" and "incident management" scare people away unnecessarily. The basic concept is very simple, however, requiring just that you keep good records about what happens, and know in advance how you will deal with problems when they occur.

Testing, testing, and testing

Test your systems and application, and keep testing them, even when nothing changes. Find your issues before a hacker does, and then fix them.

Involvement by everyone

Everyone in the organization must accept that their responsibilities include information security. It has been my experience that most employees, once someone explains the high stakes, will do their part. The few that won't are a liability, and should be directed to alternate employment opportunities.

The bottom line -- security maturity is not measured by the amount of money you spend, but by how well you handle the fundamentals. It is all about focus.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurity21cyber security

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert C. Covington

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts