Cyber security tools tend to pile up. Here’s how to rationalize them

The key steps to security rationalization

Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.

It’s a cliché, but “change is the only constant.”  Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.

Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.

If your organization has typically purchased every tool, the practice is a great way to spot redundancies. For those who have postponed major purchases, the rationalization process will highlight gaps or where too little attention has been paid and there may be vulnerabilities.   Put simply, the best rationalization projects enhance new and more customer-centric ways of delivering services by seamlessly integrating IT into business processes - even as demand grows exponentially. 

Here are the key steps to security rationalization:

* Define your goal and work backwards.  The first step in security rationalization is to define your goal -- the desired end-state of your overall cybersecurity posture. The same goal-defining concept should be applied to an overall resiliency plan in order to shore up business. While this goal may vary slightly, a solid security rationalization exercise should enable you to answer the question: How secure are we?

It may make sense to gain buy-in across departments by drafting a charter with a mandate driving the project. The project should be scoped, allocated resources and a budget, and governance systems should be put in place to maintain control.  It’s equally important to understand how secure the entire enterprise is, as well as how secure individual systems are – all the way down to the source code level (i.e. GITHUB Repositories), if you have in-house development.

* Admit your shortcomings.  Companies undertaking security rationalization typically fall into four buckets: those that have either overinvested, underinvested, don’t know the extent of their security capabilities, or are faced with new regulations that require them to demonstrate competency.  

Once you have sign off on your assignment you should take inventory of your existing portfolio. This should involve more than simply looking at toolsets.  It should take into account people and their skills, processes and systems. You’ll be able to determine, for example, whether your company has vulnerability scanners, firewalls, applications that are protected or a system of apps that aren’t protected.

Next, codify everything into multiple tiers based on needs. Your Tier 1 may need a system of tools that Tier 2 does not require. There may be an additional Tier that doesn’t fall into any category and requires its own subset of tools or protection.

Finally, run a gap analysis and tier out systems of your infrastructure, starting with the most critical.

* Map back to your desired business outcome. Once you’ve identified the gaps in your security protection compare it to the initial goals and objectives. There may be a mission-critical processing system that is not getting enough attention with current systems so you’re not able to scan-certify them when rolling in patches.

The next questions you need to ask are: 

Based on current toolsets what can we apply to that environment and what else do we need to purchase?”

What are our internal systems, like ITIL, Slack, GITHUB, that need to be tied into the whole process?”

* Make It right.  Chances are good you’ll find something amiss, lacking or broken in some fashion. The options moving forward include fixing the problem in-house, hiring professional services that can contract out the problem(s) for you, or investing in emerging tech such a security virtualization to fill any holes as a service.

If you find that you don’t have tools, have too many or don’t know enough you may want a solution that helps you automate or integrate it all. Especially if you don’t have the time, money or personnel to find and fix vulnerabilities quickly across your environments. The cleanup can include replacing, retiring, modernizing or consolidating applications.

As cybersecurity fears trump other business concerns and become a board-room discussion the question of how secure we are as a company is not an “if,” but a “when.” Getting in front of these questions with answers early is likely to benefit your organization’s bottom line, your team and possibly your own job.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Andrew Gilman, Chief Operating Officer, Cybric

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place