IT Security Strategy - Time to Review?

IT Security is still an area in which many organisations strive to be better in, but often apply the phrase “if money was no object” when deciding how far much to invest in technology. There are certain technologies and services which should be deployed as standard within every organisation, however in the face of months, possibly years, of financial challenges to come, we see many clients and various companies having to shift their focus when it comes to IT spend. With lots of technologies in IT, many can be considered in the “nice to have” category and whilst they may bring some benefits, it’s clear that some IT investments have shifted priority. The key for IT Managers, IT Directors, CIOs, CSOs and other IT Leaders is to ascertain which technology is needed but in line with evolving IT budgets. You really must not have a static view regarding security and you should be constantly reviewing it, this articles helps explain why.

It’s not going away

IT Security requires more attention as time passes, with the constant threat of attacks, malicious behavior, data theft etc. only ever increasing in frequency and complexity.

Here are some statistics which help to highlight just how serious the threat landscape has become. Whilst these change all the time, the statistics below (captured in H1 of 2019) are significant:

  • Attacks are performed every 39 seconds, around 2244 times a day

  • Data breaches exposed 4.1 billion records in the first 6 months of 2019

  • 48% of malicious email attachments are office files

  • 34% of data breaches involve an internal member of staff

  • 53% of organisations have over 1000 highly sensitive files open to all employees

  • 61% of companies have over 500 accounts with non-expiring passwords

Whilst the intention is not use scare tactics here, the facts are there for everyone to see and it’s what you do with that information that counts.

Which IT partner do you choose?

Some of the challenges faced today by IT leaders and business leaders alike is knowing how to tackle security, how to budget for it and what technology to implement. The IT industry and the providers that operate within it include a plethora of different organisations. Some of these organisations are advising their clients, or prospective clients with specialist knowledge on the subject of IT / IT Security and how to defend against modern threats.

However, there are many companies that have sales lead strategies and marketing campaigns, looking to use shocking statistics to scaremonger clients into buying technology solutions that will seemingly make everything better, but in reality, are the only product or solution that these companies can sell. This is a trend that is seen more and more in recent years, with genuinely consultative IT specialists becoming the minority.

When clients are looking for the correct advice for their organisation, the partner they choose to engage with should:

  • Be able to demonstrate that their proposed solution meets your requirements, not just because that’s the only security product they sell (driven by commercial targets)

  • Be able to explain that the product or solution they are proposing, aligns correctly with not only your heritage technology stack, but also what you have planned for the future.

Selecting an IT partner is crucial to IT Security strategy. The reason for this is that you may well start an engagement with an IT partner based on a refresh of something such as firewalls for example, but the best IT partners will want to understand the much broader strategy. This strategy should be formed with your IT partner, not revealed to them afterward, as the right IT partner will be able to play a crucial part in creating a roadmap, highlighting the entire attack surface of an organisation and addressing all points of vulnerability.

Only when an IT partner truly understands and has had an active role in formulating a strategy should they then begin to recommend and deploy specific technologies or vendors. Essentially you should not be looking for a brand or vendor, but rather looking to deliver an outcome. The right IT partner will deliver that outcome for you, in line with timing and any budgetary constraints.

What should your IT Security Strategy Include?

Your infrastructure, user community and cloud footprint present a pretty large attack surface to any potential external attacker. Addressing each area can be a very complicated exercise and requires investment of time as well as money. In practice, every organisation will have different challenges when creating a strategy, some may be driven by sector compliance (e.g a bank in the financial services sector) whereas some may have a workforce that brings increased vulnerability. You have to be thorough and try to understand what you have to protect and follow a lifecycle which could include:

  • Initiation – agreeing who will form the strategy, ensuring your IT partner is part of the steering committee

  • Analysis – ascertain what it is you are going to be protecting, is it company data, IP, customer sensitive information, user identity

  • Strategy creation- write a strategy which explains how to harden each area of the infrastructure or how you are going to address each vulnerability. Consider upfront and ongoing costs to form part of a predictable operating cost as an organisation

  • Implement & Adopt – begin working through your action plan, alerting areas of the business of any user community changes and planning timeframes, also consider metrics to measure success in each workstream.

  • Ongoing management – once implemented, how are you going to manage and monitor the solutions you have in place? Who is responsible for making sure practice maintenance is carried out?

How are you going to deliver your strategy?

Once you have your strategy defined, you have to consider how you are going to actually deliver it. This is the point you will reach where it’s often more cost effective to utilise the technology that your IT partner has invested in, you should then be able to benefit from their economies of scale.

It’s worth finding out what makes up your partner’s IT Security Service, as they will be using a number of elements in their offering. They should be able to share with you their collection of tools, policies, guidelines, risk management approaches, actions, trainings, best practices, assurances and technologies. They may have even branded this service wrap which is not uncommon, which helps to simplify upfront or ongoing commercial aspects, often aligned to growth of an infrastructure.

You could of course invest in all these things yourself, however this could be a costly exercise, especially if the size of your organisation does not quite justify a dedicated internal Security Operations Centre (SOC).

How do you measure success?

IT Leaders will no doubt be used to putting business cases forward, having to justify why a certain technology or service should receive investment. But getting board approval for such spend forms only one part of what is typically expected these days.