Balancing Your Cyber Security Portfolio
The InfoSec Consulting Series #13
By Jay Pope
In my article Inheriting Enterprise Change I discussed the challenges that can be introduced as state-of-the-art systems quickly become yesterday’s news as the next digital innovations are unveiled and adopted. Another factor that will determine your plan for how effective you’ll be in supporting transformation is how to approach balancing your cyber security portfolio. Each organisation has its own individual security needs, depending on the business context and value of its assets. This creates a unique challenge for every CISO in building and maintaining their own cyber security portfolio and in securing the associated spend. Even if some of the everyday security management is outsourced to an external supplier, an internal design or operating model that is structured with the involvement of relevant business stakeholders ensures thorough consideration and appropriate direction of any portfolio.
Identifying your most treasured assets which, if damaged or destroyed can bring down your business, should determine your investment strategy. This is the first stage in understanding your portfolio and will be a major driver in budget allocation. The majority will be apportioned to the protection of critical assets, with the remaining funds distributed appropriately.
No two organisations will have the same security portfolio size, content or associated spend. Budget and product selection depend entirely upon your business assets, your services and their associated revenues. The business impact can be catastrophic if your service is not available or is compromised; we have all seen and heard of cases where eCommerce revenues dry up and the brand is permanently damaged because of a security breach and its consequences.
Tools of the Trade
The International Standardisation Organisation (ISO) 2700 family of standards is one systematic approach to the security of information assets. In addition, The National Institute of Standards and Technology (NIST) framework offers five main functions that organisations can adopt as a strategy to identify security requirements. These constitute a comprehensive approach to evaluating and selecting the right portfolio. Briefly, the category highlights are:
- Identify – Cataloguing of the business assets and the value and risks associated with them. Mapping information types to security categories, system security plan development, governance and contingency planning;
- Protect – Perimeter safety, day to day maintenance, data security, risk and governance policies, controlling and limiting access to assets and networks;
- Detect – Monitoring, identifying, alerting of vulnerabilities and threats – the what, where, when, who, how? Accurate definition and filtering of alerts is vital from an operational perspective so that support staff can have visibility and clarity;
- Respond – Managing the incident through isolating the gaps, resolution planning, communications with business stakeholders, mitigation of current and/or further threat or damage;
- Recover – In the wake of an attack, recovery planning. Identifying improvements to systems and procedures, repairing the damage;
In summary, the NIST framework helps to focus on the key stages of building and balancing your cyber security portfolio. It starts with a true understanding of your critical assets, identifying the types of risks and attacks most likely to affect them. This determines subsequent budget and priority for each class of risk.
Where Best to Invest
At the core of the exercise is defining which capabilities will protect you and finding the right products that will deliver the right solution for the best price. However, it’s essential not to leave things there. This is a live plan and should be revisited to reflect any changes to your business or to the external threat landscape. Any new product innovations will require review and you may need to rebalance your cyber security portfolio accordingly.
The Government reports that only one in ten organisations have established a cyber security incident management plan. A little under half (46 percent) of all UK firms had identified at least one cyber security attack or breach during the 2017/18 financial year. The figures are of still greater concern in larger organisations. Two-thirds (66 percent) of medium-sized firms and 68 percent of large organisations were affected.
The reality is that threats will occur, and 100 percent security is not possible; every organisation has limited financial resources to devote to cybersecurity. If you are prioritising business-critical assets, it may be necessary to accept that being just good enough in other areas is the best you can hope to achieve.
Some security product vendors will market to businesses using Fear, Uncertainty, and Doubt (FUD) messaging. It’s important not to be tempted to spend vital funds on the attractive and shiny, but unnecessary, because vendor products need to be appropriately evaluated and they need to complement a coherent technology stack that works.
The risk versus impact classification should be evaluated before any purchase is considered. As ever, this is a balancing act: a small risk may have a low probability of ever happening but could have a huge impact if it did. Conversely, a risk of high probability may have a manageable impact, for example if it were an insider threat which may influence the design of internal processes, or a specific service.
We all know that prevention is better than cure. The benefits of protecting the business from the effects of an intrusion far outweigh the consequences in an expensive clean-up exercise, data loss/corruption, possible revenue loss and brand damage. There are strong cost arguments for apportioning funds to prevention through risk based, and proportionate Cyber Security.
Protection and prevention remain the watchwords. Perimeter security has seen the implementation of firewalls, protecting access from the unauthorised or malicious outsider. For organisations with business-critical assets, prioritising investment in these areas is fundamental. Make your business difficult to penetrate and deter the opportunistic, but destructive, intruder. Yet it is still important to balance the budget by investing across all categories. Putting all your eggs in one basket and leaving vulnerabilities lurking in other areas will leave you not just open to the threat of an attack, but unable to detect and respond to it.
Investment in detection products gives businesses the advantage of valuable time. Responding to threats to your business too late can exacerbate the associated damage as the clock ticks. Infrastructure, not to mention reputation, could be at further risk and will need significant repair and recovery. It is therefore essential that you carefully select and balance a network of products in your portfolio that allow you to respond to threats with urgency, isolate problems and remedy vulnerabilities.
The right strategy will deliver a high level of responsiveness, but this requires a solid foundation. You can build the fences as high and wide as you wish, but without the adoption of the right products, policies and procedures, serious vulnerabilities will persist. A good security operations team at the core of your business and with the full support of the senior team is a key part of that foundation.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.