The security space is larger than ever, with point product innovation driving growth in the industry so that there is a seemingly endless supply of new products and technologies. But there is a human tendency to simplify choices and circumstances, and in security departments that tends to narrow the strategic charter and purchasing decisions down to stopping threats and maintaining compliance. Unfortunately, the days when you could effectively stop threats, protect sensitive data, and maintain compliance using a handful of tools are long gone.
In this complex environment, what is the best way to focus the efforts and purchasing dollars of the security department? Instead of focusing on stopping threats and maintaining compliance, the most important things you should be asking are: which products will increase my security effectiveness and the efficiency of security operations?
Why this shift? Well, compliance alone has never been a guarantee of security or privacy; it is a necessary but not sufficient level of defense. And speaking of guarantees, there isn’t one. The number of net new threats increases year over year. Your adversary is a dark army of sophisticated and motivated cybercriminals releasing and adapting threats at a pace you can’t keep up with. We often invest in shiny new products and technologies under the assumption that they will make these problems go away. But stopping 100% of threats 100% of the time is currently 100% unrealistic.
If you are like most companies, the security budget is under constant pressure. Financial decision-makers are asking for increasingly detailed justifications for new purchases. Your people didn’t get worse at security. So, you blame the cyber attackers for getting out in front of the tools you previously invested in. This keeps you in a vicious cycle of buying new products that have a short-term success rate, struggling to deploy and manage them, then retiring and replacing them (or worse, just adding another coat of security paint) when they are no longer effective.
Instead of trying to justify security budget increases and purchase decisions with an unattainable goal, make your objectives the continual improvement of security effectiveness and operational efficiency. Focusing on compliance and stopping threats will not solve other issues, like hiring and retaining top talent, managing employee fatigue during security crises, or getting more hours in a day. You cannot throw more people at the problem, because there is a global shortage of experienced security talent. Let’s not forget other company initiatives like going to the cloud, using IoT devices, IP lighting, HVAC, smart TVs, digital menus, and the list goes on and on.
When you look at the issues from the perspective of effectiveness and efficiency, you will realize some critical, and sometimes difficult, truths:
- You cannot stop everything, every time, so you need to figure out how to prioritize and manage the risk, in collaboration with the business leaders.
- You are having difficulty getting quantifiable data to calculate important security metrics, such as time to compromise, time to discovery, and time to resolution.
- The more tools you have, the less efficient your staff is, trying to deploy and enforce consistent security policies using a complex, disjointed, and sometimes over-architected set of tools.
This is a fundamental change in security thinking, and you have to continually question those who say “that is how we have always done it.” Outside the security space there is a world of examples where fundamental change brought on success. The catalysts for that change in security are cross-product and cross-vendor integration, process and work-flow automation, and augmenting human judgment with machine-level speed and pattern recognition. The time is now to start your journey to a more mature security ecosystem.