What Security Strategy is Best For Your Organization?
There are some great examples of Chief Executive Officers (CEOs) and Chief Information Security Officers (CISOs) working together towards protecting their employees, customers, and organization. On the other end of the spectrum, you have CEOs and CISOs that do not work well together. In order to evenly align your security strategy with the business’s needs, you have to be able to see eye-to-eye on the key issue of how your organization’s security program is designed at its core. Outlined below are some buckets of how organizations are tackling security.
With publicly reported breaches approaching a near constant, there is a growing investment in cybersecurity. IDC released a report stating that:
“In 2020, these organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware […] This equates to a 38% increase from the $73.7 billion that […] organizations will spend on cybersecurity in 2016.”
Risk-based security is the future for many organizations. Being able to compete with the adversary on your terms is essential to keeping businesses afloat. This can be terribly overwhelming for most organizations because there is no clearly defined place to start. Do you work from the data out, or from the perimeter in?
Mitigating the risk to your sensitive data is an integral portion of a risk-based security program. The building blocks for this program are tackling your unstructured data and focusing on securing your sensitive data. Being able to define where sensitive data resides, who has access to it, and how to safeguard it, are step one. Although this step can be one of lengthiest, it is the most important.
I’m one of many people to stand behind the mindset that, compliance is not security. But, the more I look at the 1M+ open cybersecurity jobs and the number of positions whose sole purpose is to manage and respond to compliance needs, the more it becomes apparent that this is what security has become for many organizations.
The skills gap in the industry is a large testament to the gaps that security organizations have. There are those that will argue that we do not have a skills gap, and the gap in fact exist within our systems that are not built with security and privacy in mind, but at the moment companies find it is easier to throw bodies at the problem. What this means for most security organizations is that they don’t have the bandwidth to constantly keep up with the newest breach path or adversarial attacks and the myriad of compliance regimes. This is where I see a lot of companies choose the compliance-based strategy. It is at least a framework and something that can be directly quantified to the powers that be.
With the European Union (EU) General Data Protection Regulation (GDPR) in full effect come May 25, 2018, we are actually getting to a compliance-based strategy with data at the epicenter. A lot of the EU GDPR maps to some core security processes and programs an organization should have in place.
Security Through Obscurity
The 2nd largest digital sports site doesn’t have a security team. They have been breached multiple times and they have an Information Technology (IT) team and CEO that stand behind, “Security Through Obscurity.” For them the cost of having a security team and paying for the tools far outweighs the regulatory fines and breaches. There are many more companies like them or companies that do the bare minimum and hope it is enough. I can absolutely see this working in the short term for some companies. Many start-ups take a similar approach since they have to make this trade off based on limited resources. This, of course, comes with the save for a rainy day fund. The day when this strategy fails and they’re hit with regulatory sanctions or worse the breach impacts their organization and customers financially.
Whichever strategy your organization is currently doing or decides to do, it is important to know that there are ways to quantify the risk to your organization. You can do it with regulatory sanctions and the cost associated with being found non-compliant. You can assess the cost if you lose customers to competitors because you cannot secure their sensitive data. On the sophisticated end of the spectrum, some companies use FAIR (Factor Analysis of Information Risk) or NIST’s Risk Management Framework (RMF) to quantify their risk. Or, you can combine them all for a personalized cost-analysis and compare it to the tools you currently have in place or plan to put in place.
Click here to learn more about how compliance: https://www.stealthbits.com/compliance-solution
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Corin Imai is a Director of Marketing for STEATHbits. Corin began her career working on server, application and desktop virtualization, networking, software-as-a-service, and cloud computing technologies before delving into application and data security. In her current capacity at STEALTHbits, she manages the industry-leading StealthAUDIT suite that enterprises around the world depend on to defend their most critical information. Corin can be found on Twitter @corinimai