We’re entering a world of deepening complexity and far vaster breadth when it comes to security for the modern enterprise. With companies integrating legacy data centers, manufacturing facilities, and networks with the cloud and the Internet of Things (IoT), all connecting to an uncontrollable mass of independently governed endpoints, CIOs and CISOs face a constant challenge of trying to decide what to protect and how to protect it.
When thinking about how companies should choose to spend their security dollars, I find the framework created by the National Institute of Standards and Technology (NIST) to be a great guide, although many security professionals also rely on ISO 27001. The NIST framework offers five main functions companies need to be able to address in their approach to cybersecurity: 1) Identify; 2) Protect; 3) Detect; 4) Respond; and 5) Recover. Within this excellent taxonomy of security capabilities, categories like asset management, risk management, and governance are under the identify function, access control, maintenance, and data security fall under protect, while monitoring and anomalous events fall under detect. Respond includes response planning, communications, and mitigation, while recover includes communications taken in the wake of an attack, recovery planning, and improvements to systems and procedures.
Keeping your balance when designing a security portfolio is just as hard as it looks
I highly recommend keeping that framework in mind as you approach decisions about your security spend, but it’s crucial to note that it doesn’t address how to balance your spending across those categories and functions. Yet, the question of how to spread your limited dollars and resources over these categories to ensure your business is as protected as possible is paramount for today’s corporate landscape.
The NIST framework does provide some focus on portfolio analysis, including both the assets you need protected and the security used to protect them. This focus is mainly in the framework’s Risk Assessment section, where there are guides offered for such things as system security plan development, contingency planning, conducting risk assessments, and mapping information types to security categories to name just a few. The NIST framework, just as with other structures like it, helps companies to organize a holistic approach to security. But the portfolio and product analysis framework needs more fleshing out, which is part of the reason for this series of articles. It’s also important to remember that even with a strong security portfolio, there still needs to be security officer(s) matching the needs of the business to the framework and available technologies. Also, in this series we are focusing on analysis of technology products primarily. It is vital to remember that a fully realized vision for security must integrate people, process, and technology products. We are assuming that the people and process aspects are being designed carefully as well in combination with an analysis of technology products.
This is the first article in a series on building the right cybersecurity portfolio for your business. This piece includes the first two steps (Determine Needs, Allocate Spending According to Risk) companies should take when creating that portfolio. Subsequent articles will cover steps three through five (Design Your Portfolio, Choose the Right Products, Rebalance as Needed). This graphic shows all the steps:
Steps to creating a balanced security portfolio
I’ve written previously about modern enterprise security, and have compared proper security to anatomy and the human body, with companies needing a brain for comprehensive and analysis, eyes for searching and scanning for threats, ears for listening for abnormalities, waiting rooms for behavioral analysis, walls and locks for perimeter defense, and arms and hands to respond immediately to threats. And while this analogy works very well for thinking about what a specific product provides, I believe there’s another analogy more apt for thinking about your security spend.