Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.
It’s a cliché, but “change is the only constant.” Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.
Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.
If your organization has typically purchased every tool, the practice is a great way to spot redundancies. For those who have postponed major purchases, the rationalization process will highlight gaps or where too little attention has been paid and there may be vulnerabilities. Put simply, the best rationalization projects enhance new and more customer-centric ways of delivering services by seamlessly integrating IT into business processes - even as demand grows exponentially.
Here are the key steps to security rationalization:
* Define your goal and work backwards. The first step in security rationalization is to define your goal -- the desired end-state of your overall cybersecurity posture. The same goal-defining concept should be applied to an overall resiliency plan in order to shore up business. While this goal may vary slightly, a solid security rationalization exercise should enable you to answer the question: How secure are we?
It may make sense to gain buy-in across departments by drafting a charter with a mandate driving the project. The project should be scoped, allocated resources and a budget, and governance systems should be put in place to maintain control. It’s equally important to understand how secure the entire enterprise is, as well as how secure individual systems are – all the way down to the source code level (i.e. GITHUB Repositories), if you have in-house development.
* Admit your shortcomings. Companies undertaking security rationalization typically fall into four buckets: those that have either overinvested, underinvested, don’t know the extent of their security capabilities, or are faced with new regulations that require them to demonstrate competency.
Once you have sign off on your assignment you should take inventory of your existing portfolio. This should involve more than simply looking at toolsets. It should take into account people and their skills, processes and systems. You’ll be able to determine, for example, whether your company has vulnerability scanners, firewalls, applications that are protected or a system of apps that aren’t protected.
Next, codify everything into multiple tiers based on needs. Your Tier 1 may need a system of tools that Tier 2 does not require. There may be an additional Tier that doesn’t fall into any category and requires its own subset of tools or protection.
Finally, run a gap analysis and tier out systems of your infrastructure, starting with the most critical.
* Map back to your desired business outcome. Once you’ve identified the gaps in your security protection compare it to the initial goals and objectives. There may be a mission-critical processing system that is not getting enough attention with current systems so you’re not able to scan-certify them when rolling in patches.
The next questions you need to ask are:
“Based on current toolsets what can we apply to that environment and what else do we need to purchase?”
“What are our internal systems, like ITIL, Slack, GITHUB, that need to be tied into the whole process?”
* Make It right. Chances are good you’ll find something amiss, lacking or broken in some fashion. The options moving forward include fixing the problem in-house, hiring professional services that can contract out the problem(s) for you, or investing in emerging tech such a security virtualization to fill any holes as a service.
If you find that you don’t have tools, have too many or don’t know enough you may want a solution that helps you automate or integrate it all. Especially if you don’t have the time, money or personnel to find and fix vulnerabilities quickly across your environments. The cleanup can include replacing, retiring, modernizing or consolidating applications.
As cybersecurity fears trump other business concerns and become a board-room discussion the question of how secure we are as a company is not an “if,” but a “when.” Getting in front of these questions with answers early is likely to benefit your organization’s bottom line, your team and possibly your own job.