Growing your data security ecosystem

Be careful what you ask for...

The current state of enterprise security has created some interesting challenges for organizations and IT departments. Despite the tight economic climate, with the ever-increasing torrent of data breaches dominating the headlines, many CISOs are suddenly finding themselves with unexpected—and sometimes significant—increases to their budget.

Which usually, wouldn’t be thought of as a bad thing. But these are different—and challenging—circumstances. Frequently, my peers are finding themselves answering tough questions in front of executive management, or if publicly held, the board.

“How do we make sure this doesn’t happen to us? What are we doing to protect ourselves? What’s our risk?”

This is particularly true if the most recent breach is a direct competitor, in the same industry, or has the potential to impact their supply chain or services they use. Case in point, anyone in retail that utilizes POS terminals is spending a significant amount of their time these days reassuring management that their data security posture is solid.

Investing in your business

Securing your enterprise IT infrastructure, your extended networks and the valuable information contained within them has never been more important. Enterprise management teams around the world are prioritizing security and spending more money than ever to improve their defenses. And anecdotally, those who I have spoken to in the industry have generally confirmed that their budgets are increasing —in some cases dramatically.

Now having more money is a great problem to have. But it is not without its own risks. Simply throwing more money at enterprise data security may not work as intended. In fact, it can increase your risk.

Before adding more tools or services to your portfolio, take a step back. One of the first steps you should take is to understand and optimize what you already have.

This includes whether or not you have strong data governance policies, solutions and processes. For example, do you have a robust, comprehensive asset management solution? One that covers the basics, like enabling you to quickly and accurately identify and track down end user assets?

Second, how strong is your enterprise-wide awareness of risk? One place you may need to start is strengthening end-user awareness and training. For example, advanced threats consistently use spear-fishing techniques to gain toe-holds in highly secure networks. Have you educated your employees to look for suspicious emails and think before they open attachments? With the proliferation of cloud-based file-sharing and collaboration tools, have you told your employees about the risks of storing sensitive corporate information on public cloud-based file sharing applications? A little education can go a long way.

Don’t get ahead of yourself

Before implementing more advanced technology solutions like a Security Information and Event Management system (SIEM) or security alerting services, you need to be prepared to deal with what will most certainly be a mass influx of security alerts. Do you have the ability to identify and track these alerts? Do you have the staff and expertise to deal with the increased work load? And do you have the process and incident response procedures in place to handle the remediation efforts?

If the answer to any of these questions is no, your business may very well end up in worse shape than before. How? If you aren’t properly staffed or prepared, it’s easy to miss true issues as they could go unnoticed, as your team is distracted by the noise and confusion. Implementing new technology or solutions that the company isn’t ready for, either technically or—in many cases, culturally—can be equally damaging. In the end, you won’t be any more secure and will have wasted time, money and possibly even damaged your reputation.

Setting the right course

After you have a solid foundation, how do you prioritize your data security needs?

Before layering on more technology, you must have a strategic plan.

This of course will depend upon the needs of your business, your existing infrastructure and capabilities. Retail organizations with a vast POS infrastructure will have different needs and requirements than manufacturers with an extended network of supply chain vendors. It can vary region to region, while also being influenced by cultural factors and the regulatory environment.

So, if you do find yourself answering questions in front of management about the state of your security apparatus, take the opportunity to make sure your security priorities align and support the company’s strategic goals and initiatives while addressing your highest risk areas. And just as importantly, that the steps you’re taking add value.

Putting more money into solving this problem presents a great opportunity to bolster your security ecosystem. Careful and thorough preparation, planning and prioritization will help ensure success and avoid creating more problems for yourself in the long run.