Security Means Managing What You Already Own First
A trend that I have picked up on in conversations with CIO’s, CISO’s and other leaders responsible for securing the enterprise is the huge gap between what they need and what many vendors are marketing. Security leaders in the trenches need solutions to optimize and integrate existing tool investments, manage security capabilities in a coordinated way, and a means for engaging in business conversations about the security they deliver. Vendors seem focused on marketing the future and selling more capability into already resource-strapped security teams that can’t even effectively use the tools they already own due to an under-investment in people and process.
Instead of buying more “stuff” to manage I’d suggest finding a way to measure and manage what you already own. What’s that look like?
Focus on the things you have control over, for example, privileged accounts. Instead of academic discussions around data classification (you know with all the re-organizations and M&A activity you are never going to get there) put your energy into identifying, reducing and then managing your privileged accounts. You own and control your privileged accounts and they are exploited in 100% of the attacks you are most worried about so before you buy that next-generation firewall make sure you’ve taken care of the fundamentals.
Another opportunity to seize today in lieu of investing in the unknown future is vulnerability management. Your effectiveness at vulnerability management has a direct impact on nearly every other part of the security organization you manage. No process for patch management: expect to spend more on incident response. Scanning only a portion of your environment: expect more alerts for your Security Operations Center team to manage. There is a direct correlation between resources consumed in other areas of security and your investment in vulnerability management. It’s another example of managing what you already own before you try to ingest another tool without adding any engineers or process.
I’m not suggesting that CIO’s and CISO’s shouldn’t be trying to “see around corners” and prepare for the future but the amount of hype about what’s next taking away the focus from managing today.