How to Work Backwards to Develop a Sound Security Strategy

In today’s cloud-based environments, security threats can move faster and do more damage than ever before. To avoid a financial and technological repercussions, companies must be proactive with their security strategies and have the ability to act fast.

A common approach is to “over-secure” company systems, but this can unnecessarily limit employee access to important tools and hinder productivity. Alternatively, those who know security well realize that if you offer employees too much access, it can open your business to security vulnerabilities.

A better approach centers on striking the right balance between security and practicality, and the way companies can achieve this is by working backwards from the ideal security scenario to formulate their strategy.

In this post, we’ll explore ways that security leaders can approach technology in a manner that is both usable for employees but also secure for the company. To do this, they must begin with an analysis of the risks and the needs of their employees. Let’s dive in.

Step 1: Assess Your Risks

Begin by establishing a baseline of your current security environment. An intrusion detection system like Threat Stack can reveal security vulnerabilities and misconfigurations and help you prioritize the risks based on this assessment. This information can inform the rest of your strategy, including the people, processes, and tools your company chooses to invest in to address any gaps. By beginning with an internal assessment, you can strategically plan your roadmap for security deliverables.

Step 2: Assess the Roles You Serve

Your initial assessment may reveal the risks your company is vulnerable to and the opportunity to change systems to become more secure. When adopting new software, consider the different kinds of systems access employees will need. Define access by job role and seniority level. After all, developers require different sets of tools and roles within those tools than people in QA. On a similar note, a junior engineer has different technology needs than a CTO or VP of engineering. Elect a security leader who can learn everyone’s needs and incorporate those concerns during vendor evaluations.

Step 3: Develop a Training Program

Employees should know how to securely use whatever technology you give them access to. To ensure compliance and consistent use of safety measures, think of ways to make security training part of the employee onboarding process and provide frequent refresher content to keep all the information top of mind.

The goal? Generate continuous security awareness across your organization. Security awareness requires that you make security a part of the company culture. This means employees should understand why security is important to the business so that it will be easier for them to take responsibility for security as it relates to their individual roles.

Step 4: Find Opportunities to Automate

Given how quickly security threats move through the cloud, managing security manually is no longer an efficient option. Develop a strategy to automate alerts for suspicious activities, user provisioning and deprovisioning, code reviews, monitoring, and operational tasks. One of automation’s key benefits is that it reduces human error and exposures. However, that’s only true if someone oversees the automation. This is why it’s important to have a security leader overseeing the automation system — and ultimately the security strategy as a whole.

Step 5: Focus on Continuous Improvement

As we’ve described before, you typically have four options when evaluating risk:

  • Avoid the risk
  • Reduce the risk
  • Share or transfer the risk
  • Accept the risk

The problem with this approach in the cloud is that nowadays, changes happen extremely quickly and threats come in massively larger volumes. There is no time to manually manage issues one by one.

To continuously manage threats and to continually improve your security posture, it’s critical to deploy a modern, integrated solution that will automate many of the tasks for you. Threat Stack, for example, helps companies continuously check, validate, and monitor that security is being met on an ongoing basis. It can help you complete an initial audit of your configuration settings, which you can then use to develop a baseline for regular checks.

A Final Word . . .

Security is a process that needs to be maintained over the long-term and modified as the company grows. With this perspective, companies can avoid short-sighted decisions and short-term thinking when implementing new systems. To kickstart your security strategy, begin by establishing a baseline. Then, continuously measure your activity against those standards. This baseline, combined with a thoughtful and consistent employee training program, will set your security organization up for success.

If you’re considering an investment in cloud security software in 2018, download a free copy of our Cloud Infrastructure Buyer’s Guide.

Cloud Infrastructure Security Buyer's Guide

Navigate the cloud security market space and choose a vendor for your organization.

Download Now