Enterprise security teams need tools to help protect sensitive data and detect anomalous behavior from both internal and external threat actors. Selecting the appropriate tool for their unique environment and challenges is an uphill battle for CISO’s and their teams. Security vendors smell blood in the water. It’s hard for those charged with protecting an organization’s security not to get carried away when we hear of machine learning and artificial intelligence solutions that promise the world. In fact, “A third of hospital executives that purchased cybersecurity solutions between 2016 and 2018 report they did so blindly without much vision or discernment,” according to Annual Cybersecurity Survey published by Black Book Market Research, LLC, last May (2018), The report continues to say, “60% of healthcare enterprises have not formally identified specific security objectives and requirements in a strategic and tactical plan.”
Based on these numbers, there’s a decent chance these tools employed by an organization are not providing nearly the rate of expected return they should. In fact, the lack of proper or complete configuration may be hurting your organization more than you think. A number of security tools require continuing investment in the way of a human element for configuration, maintenance, and operation. Just think about that Splunk team from that hospital across town. It has at least two full time highly paid experts configuring log files and optimizing the search head cluster. With that level of resource allocation and activity, one would assume that a solid audit / log management program is in place. Now imagine if you asked them to produce an immediate report of all known servers in that hospital’s master inventory and compare that to the number of operating system logs they’ve captured over the last 3 months. Would there be any gaps? Hopefully not, but probably so. The truth is most organizations are not effectively managing the basic performance of their security tools, processes, and teams.
This is one of the reasons TDI created Cybersecurity Performance Improvement (CPI)TM. Too many organizations are out of alignment when it comes to the security posture being reported and their actual posture (their reality). CPI is business process improvement aimed at cybersecurity maturity via risk management, meaningful metrics tied to business objectives, and continuous monitoring and reporting. CPI provides insights that increase performance and enable the needed visibility to inform data-driven decisions.
So sure, implementation of user behavior analytics would be nice, but if we can’t be certain the team is capturing all necessary logs, how do we know where our focus should be? As Black Book notes, “Without a clear set of security goals, providers are operating in the dark and it’s impossible to measure results”. “Don’t fall victim by being lulled into a false sense of security just because you have a particular suite of security tools,” says Jesse Dean, TDI’s Sr. Director of Solutions. “This can be exacerbated by seemingly constant activity and hollow status updates reported by security teams who are well-intentioned. CISOs and above can own their reality with CPI.”
Understanding your overarching goals, priorities, and reality of your situation are key to maximizing the benefit of your security tool purchase. Before making a buy decision or deciding to renew that expensive vendor contract, ask the hard questions:
- What specific gap(s) in my security program does this tool fill?
- Is this gap one of my biggest priorities?
- Do I have an existing tool that could solve for this?
- What are my success criteria metrics?
- How effective are my current tools, processes, and team performing against core security areas? (Inventory, Vulnerability Management, etc. )
- Do I have the staff (time and expertise) to fully implement, manage, and operate this solution?
- How does the tool fit into my broader ecosystem / interoperability?
It’s time we all get back to the basics and take the time to ask ourselves what it is we are doing, how well we’re doing it, and what’s our risk. By spending the time planning with these questions in mind, we will have a better understanding of what we really need to do and possibly buy. Using CPI, we can move from just doing; to doing things better by measuring and maturing.