In an earlier blog post I wrote about looking at security as an investment (as opposed to an expense), focusing on the value that an integrated cloud-native security platform can deliver to investors, board members, and C-Level executives. In this post, I’m going to broaden my focus to include some of the other issues you need to include in your “security as an investment” plan.
The Cyber Threat Landscape
But first, just to remind ourselves of the critical need for security, let’s take a look at the reality of today’s cyber threat landscape. The bad news is it’s a level playing field! All businesses are potential targets of cyber crime regardless of size or industry sector. The big companies (e.g., Target, Anthem, Home Depot, etc.) get the headlines, but no one, right down to the smallest entity, is immune.
The stakes can be significant. To start, there’s the potential for reduced investor confidence, a drop in share prices, and lower earnings. Because of a damaged reputation and shaken consumer confidence, you also need to factor in the risk of losing business from customers or partners who decide to go elsewhere. On top of this, your ability to attract and retain high calibre employees might be impaired if your reputation is suspect or is, in fact, damaged.
So there’s no way to rationalize away the risks and and possible consequences. You can’t say “We’re too small” or “Our information isn’t valuable enough.” In fact it might not even be your data that the “bad guys” are after. They might just want to hijack the processing power of your servers to carry out other nefarious activities.
A Four Pillar Plan
A proven way of preparing yourself to operate safely (and at cloud speed) in this environment is to use a proactive approach that centers on four areas: 1. Security Strategy; 2. Appropriate Technology; 3. Education; and 4. an Incident Management Plan.
Develop a Security Strategy
Before you do anything else, develop a comprehensive strategy that identifies, among other factors, your current security profile, your security objectives, the right people (in terms of roles and responsibilities as well as skills, knowledge, and abilities), operational processes, and technologies. (For additional information, see Threat Stack’s Cloud Security Playbook.) Being strategic and proactive — conducting an analysis and developing a plan as opposed to jumping in with fire-fighting tactics — helps ensure that you have a complete, end-to-end approach to addressing your organization’s security requirements rather than a piecemeal solution that might contain gaps or unnecessary and expensive overlaps.
If you’re just starting your business, you can integrate a security strategy into your infrastructure and operations from the very outset. If you’re an established business, a security strategy gives you the opportunity to upgrade your security by retrofitting your operations in a calculated manner. Again, if you’re retrofitting your organization, you can look at this as an opportunity to consolidate and perhaps reduce the number of existing point solutions. The result should enable you to reduce CapEx, and by optimizing operations, you should be able to reduce OpEx as well, while obtaining better security intelligence, faster incident response times, and superior remediation solutions.
If you need to hire third-party experts during this phase, you should not hesitate to do so.
Choose Appropriate Technology
At the heart of your security strategy, make sure that you select an integrated, purpose-built, cloud-native security platform that covers all key areas (i.e., workload insights, threat intelligence, infrastructure monitoring, and vulnerability management) so you can quickly identify breaches and anomalies and take swift remedial action.
As a best practice, do not be tempted to deploy (or keep using) a series of point solutions: the result will inevitably be costly, cumbersome, and slow to use, and you’ll risk leaving gaps in your security coverage. Nor is it advisable to attempt building a homegrown solution: to put it bluntly, it’s not likely you’re in the security business and as such, you won’t have the right knowledge or resources. (For more on selecting appropriate technology, take a look at A Blueprint for Selecting Security Technologies Inside the Cloud.)
Educate Your Employees
The best technology in the world can’t protect your organization by itself because human factors have a huge impact on the strength or weakness of security. (Just think of Edward Snowden’s unauthorized use of a USB drive.) With that in mind, you should develop a culture that is informed by a sense of awareness, knowledge, and responsibility, and where all employees have good security habits and behaviors.
To this end, help your employees develop an understanding of the importance of good habits by making security training an ongoing part of your organization from onboarding through to final exit. Make everyone responsible for security, and point out how simple behaviors, such as poor password practices or the improper use of USBs can create critical vulnerabilities. Train your employees to use good security habits, and explain how basic practices, such as the use of password managers and Multi Factor Authentication, can significantly strengthen your organization’s security posture.
To recap, security is a highly specialized area, but it should never be handled by the “security group” alone. To be effective, it must be the combined responsibility of everyone in the organization from the boardroom on down.
After all is said and done, things happen. As Robert Burns put it (more or less), “The best laid plans of mice and men often go awry,” and in spite of your strategic security plan, choice of technology, and employee training, breaches will occur. With that in mind, you need to develop a Crisis Response Plan that will let you manage a cyber security crisis in a structured and thorough manner.
The exact makeup of the plan will vary depending on the size of your company, the nature of your business, laws that govern your industry, etc., but it should, at a minimum, define the objectives of your response, the makeup of your response team, roles and responsibilities, key activities, a timeline, key contacts, and contact information. You can start by preparing a basic plan that can then be scaled as your organization grows and becomes more complex. Of course, the internet is a great source for guidance and templates, as the following resources indicate:
A Final Word
Does all of this sound familiar? Probably — because there’s nothing new in what I’ve said. But the question is: Have you acted on it in your organization?
Most people know they need life insurance and a will, but how many procrastinate on putting these in place? Remember: none of the rationalizations (“It’ll never happen to us,” “We’re too small,” etc.) are legitimate. To make your investment in security pay off, you need to be proactive. You need to act now!