Improving protection will always require increasing investment. Attackers change tactics to avoid the protections that they have already seen, and advanced attackers continue to prove they can develop attack technologies that penetrate even sophisticated targets. At the same time, pedestrian attackers and automated campaigns rely on finding new victims for older attack vectors, so existing defenses need to remain strong. The IT Pro or security administrator needs to consider this blend of existing and expected threats when making recommendations to their organizations about areas to apply additional funds to maximize the total security provided after the next dollar has dropped.
The security investment model and diversification
In a security strategy, as in a financial investment portfolio, a conservative strategy requires assessment of two main areas: asset strength and portfolio diversity. Each investment needs to be validated as solid, so that the investment isn’t lost, and the portfolio needs to be diverse, either in markets or asset types, to ensure consistent performance against a variety of potential adverse conditions or threats. It helps to really think of your protection as a portfolio, and your choices as investments.
One of the leaders of this train of security thought is the current CSO of Aetna, Jim Routh, who has long treated the acquisition of security technologies as a forward-looking investment. He looks internally for areas needing improvement, and then externally for new ideas to fill the gaps created by new threats or deteriorating effectiveness of existing solutions. While you may not have Jim’s experience or Aetna’s scale, this is a good mindset to have.
Spending the Next Dollar
Evaluating the strength of your current security assets is straightforward: You, or your predecessor, acquired and deployed solutions that addressed a critical security challenge at that time. This strength will erode over time, as new forms of threat and entirely new classes of attack rise up, and this is where you need to entirely replace the existing solution with something new and hopefully better, or you need to diversify and add new protection to the infrastructure you have already deployed. & Whichever you choose, you should consider the following three questions in making your decision:
What specific improvements am I looking for?
Maybe you are subjected to a new threat from denial of service attacks, from targeted attacks against your own custom web applications, or you have read about ransomware’s path of destruction over the past couple of years. There are likely to be multiple areas, so take the time to prioritize the risks. As you look for solutions that can help — be they perimeter defenses, runtime protection, or threat detection and incident response tools — overlay any new provider’s functionality over your existing protections. You need to be able to identify the cost of your additional protection, and discount the value of redundant protection that the new solution may provide.
How quickly will I realize value?
Security weaknesses continue to add liability every day that they are left open, and the rapid evolution of the threats dictates that solutions lend themselves to rapid adoption. This is an area where there needs to be serious consideration of additional solutions versus complete replacement. It can be tempting to think about the purity of rip and replace, but there is usually a high level of disruption when it happens for all but the simplest platforms.
Speed also relates to the time it takes to understand and acquire new technologies. Complex offerings with six month implementation times are necessary in some cases, and should be considered. Where more discrete gaps are the issue, access to free trials, published pricing, and in-house pilots speed up the assessment of impact and integration without the added burden of sales calls, negotiations, and professional service contracts.
Is this an essentially irreversible decision?
Some security investments represent nearly irreversible decisions. If you are migrating to a new authenticating infrastructure, or aggregating many tools into a new SIEM, or using several components of a multi-function suite, your decision will be one that is going to be costly and painful to unwind. Every user and system integrated represents a potential future cost to remove. Irreversibility is necessary for some decisions, particularly those with embedded programmatic integrations, but flexibility should be the watchword at this time in the security market.
Strong security today looks almost completely unlike security 10 years ago, and that was a complete shift from security 10 years before that. We have matured from perimeter protections to event monitoring and detection, to concern over ransomware and targeted attacks with long dwell times. It is perfectly foreseeable that 10 years from now we will have evolved yet again. Decisions on security investment should account for challenges we can see and not unnecessarily discard existing solutions that got us here.
About the Author
Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.
