IT Security is still an area in which many organisations strive to be better in, but often apply the phrase “if money was no object” when deciding how far much to invest in technology. There are certain technologies and services which should be deployed as standard within every organisation, however in the face of months, possibly years, of financial challenges to come, we see many clients and various companies having to shift their focus when it comes to IT spend. With lots of technologies in IT, many can be considered in the “nice to have” category and whilst they may bring some benefits, it’s clear that some IT investments have shifted priority. The key for IT Managers, IT Directors, CIOs, CSOs and other IT Leaders is to ascertain which technology is needed but in line with evolving IT budgets. You really must not have a static view regarding security and you should be constantly reviewing it, this articles helps explain why.
It’s not going away
IT Security requires more attention as time passes, with the constant threat of attacks, malicious behavior, data theft etc. only ever increasing in frequency and complexity.
Here are some statistics which help to highlight just how serious the threat landscape has become. Whilst these change all the time, the statistics below (captured in H1 of 2019) are significant:
Attacks are performed every 39 seconds, around 2244 times a day
Data breaches exposed 4.1 billion records in the first 6 months of 2019
48% of malicious email attachments are office files
34% of data breaches involve an internal member of staff
53% of organisations have over 1000 highly sensitive files open to all employees
61% of companies have over 500 accounts with non-expiring passwords
Whilst the intention is not use scare tactics here, the facts are there for everyone to see and it’s what you do with that information that counts.
Which IT partner do you choose?
Some of the challenges faced today by IT leaders and business leaders alike is knowing how to tackle security, how to budget for it and what technology to implement. The IT industry and the providers that operate within it include a plethora of different organisations. Some of these organisations are advising their clients, or prospective clients with specialist knowledge on the subject of IT / IT Security and how to defend against modern threats.
However, there are many companies that have sales lead strategies and marketing campaigns, looking to use shocking statistics to scaremonger clients into buying technology solutions that will seemingly make everything better, but in reality, are the only product or solution that these companies can sell. This is a trend that is seen more and more in recent years, with genuinely consultative IT specialists becoming the minority.
When clients are looking for the correct advice for their organisation, the partner they choose to engage with should:
Be able to demonstrate that their proposed solution meets your requirements, not just because that’s the only security product they sell (driven by commercial targets)
Be able to explain that the product or solution they are proposing, aligns correctly with not only your heritage technology stack, but also what you have planned for the future.
Selecting an IT partner is crucial to IT Security strategy. The reason for this is that you may well start an engagement with an IT partner based on a refresh of something such as firewalls for example, but the best IT partners will want to understand the much broader strategy. This strategy should be formed with your IT partner, not revealed to them afterward, as the right IT partner will be able to play a crucial part in creating a roadmap, highlighting the entire attack surface of an organisation and addressing all points of vulnerability.
Only when an IT partner truly understands and has had an active role in formulating a strategy should they then begin to recommend and deploy specific technologies or vendors. Essentially you should not be looking for a brand or vendor, but rather looking to deliver an outcome. The right IT partner will deliver that outcome for you, in line with timing and any budgetary constraints.
What should your IT Security Strategy Include?
Your infrastructure, user community and cloud footprint present a pretty large attack surface to any potential external attacker. Addressing each area can be a very complicated exercise and requires investment of time as well as money. In practice, every organisation will have different challenges when creating a strategy, some may be driven by sector compliance (e.g a bank in the financial services sector) whereas some may have a workforce that brings increased vulnerability. You have to be thorough and try to understand what you have to protect and follow a lifecycle which could include:
Initiation – agreeing who will form the strategy, ensuring your IT partner is part of the steering committee
Analysis – ascertain what it is you are going to be protecting, is it company data, IP, customer sensitive information, user identity
Strategy creation- write a strategy which explains how to harden each area of the infrastructure or how you are going to address each vulnerability. Consider upfront and ongoing costs to form part of a predictable operating cost as an organisation
Implement & Adopt – begin working through your action plan, alerting areas of the business of any user community changes and planning timeframes, also consider metrics to measure success in each workstream.
Ongoing management – once implemented, how are you going to manage and monitor the solutions you have in place? Who is responsible for making sure practice maintenance is carried out?
How are you going to deliver your strategy?
Once you have your strategy defined, you have to consider how you are going to actually deliver it. This is the point you will reach where it’s often more cost effective to utilise the technology that your IT partner has invested in, you should then be able to benefit from their economies of scale.
It’s worth finding out what makes up your partner’s IT Security Service, as they will be using a number of elements in their offering. They should be able to share with you their collection of tools, policies, guidelines, risk management approaches, actions, trainings, best practices, assurances and technologies. They may have even branded this service wrap which is not uncommon, which helps to simplify upfront or ongoing commercial aspects, often aligned to growth of an infrastructure.
You could of course invest in all these things yourself, however this could be a costly exercise, especially if the size of your organisation does not quite justify a dedicated internal Security Operations Centre (SOC).
How do you measure success?
IT Leaders will no doubt be used to putting business cases forward, having to justify why a certain technology or service should receive investment. But getting board approval for such spend forms only one part of what is typically expected these days.
So how would you want to continue to justify the success of an IT Security Strategy? The KPIs you create around such a strategy will be influenced by the type of organisation you are, your customers, your industry sector. But across all of these remains a similar theme. Business leaders want to be able to see that IT Security is working, they want to see that it has stopped and thwarted an attack, they want to see that the user community is more vigilant and aware of personalised attacks.
This can be split into 3 main considerations:
Technology - Live Data Feeds, Dashboards and Alerts
Process - Board Pack Level Reporting, translating IT information into actionable material for strategic discussions
People - Human Interaction, hands on management and responsibility for maintaining standards & behavior including leadership feedback to your organisation.
Once you have dissected these main areas, you can decide who takes responsibility for each part. Some could be delivered internally, selecting a security officer, or a departmental champion, whereas some parts make sense to outsource to an IT partner who can give you access to the tools you need at a much lower cost.
Some key points to remember:
The amount of money you invest in IT Security doesn’t necessarily reflect how well protected you are.
The amount of money that other organisations in your sector spend doesn’t form a benchmark of what you should invest.
The figures and metrics you present back to your organisation are based on events that have already happened. You want to be able to report on your ability to stop future threats.
Being compliant with certain regulations does not always mean the level of protection is sufficient.
Your strategy should include the functions of technology, process and people. If you lead your strategy with less than all of these, your defense will fail somewhere.
You will never control threats or malicious attacks; you can only ever control your organisation’s readiness to protect & defend against them.
There is no simple answer for “How much security do I need?”. Find an IT partner that will understand you first before they start proposing solutions.
Get started with a Partner
It’s easy to talk about the ‘threat landscape’ but understanding it fully requires skill and experience. The past 4 years in IT security has seen a shift in what is considered as the perimeter of your infrastructure, it’s now not just about where your physical equipment resides, or the edge of your network protected by firewalls. You now must factor in that user identity is often the primary target, with would-be attackers trying to compromise it in order to gain access to data or perform other crippling acts on your infrastructure.
With users carrying devices and accessing your IT infrastructure in public places, working from home or using mobile internet connectivity, it’s a difficult task to maintain a high level of security. Not only are you needing to ensure the devices have policies, encryption etc., but you should also be focusing on user behavior. Human error is often the source of security breaches, and whilst you may have invested in technology for your infrastructure, you could easily underestimate how critical user training and governance can be.
HybrIT understand that IT security strategies should shroud your organisation, but covering your infrastructure, users and operations is where real-world expertise can make a difference. It’s not always just about buying a new product, for example, it’s likely you are using Microsoft products with features that are not turned on. Often organisations haven’t unlocked security features like Conditional Access, underpinned by Microsoft Azure Active Directory, a common example of where HybrIT often highlight a quick win for security hardening.
There are many more examples like this, but first your organisation and infrastructure needs to be understood. If you would like to discuss IT security strategies further and unlocking existing security technologies, please get in touch and our subject matter experts will be able to help you.