Despite what many advertisements and salespeople would like you to think, you don’t need to (and in many cases shouldn’t) spend a fortune on security tools to achieve a robust cybersecurity program. Some tools are essential, such as a ticketing tool or Security Information and Event Management (SIEM) system, but the best security programs are built off the employees that run the business. Without their support and understanding, even the most secure system or software suite could be brought tumbling down with little effort.
Every member of an organization with access to computers or data is a potential source of compromise and a potential source of system failure. Almost every component, system, or workflow, down to the fundamental building blocks of society, rely on the fair and accurate participation of those involved in it. Accordingly, any deviance, whether intentional or not, from this set state can cause significant issues to arise.
It is vital that the security team realize that the purpose of security is, foremost, to promote the ability of the business to do business. Excessively complex or costly security measures that do not serve the needs of the organization or support it in its mission are worse than no security at all.
Staff over software
One of the first categories of people to focus on is your security (or IT) staff. Some technology requires specific skills, knowledge, or time, any one of which your team may lack. Without first considering the available resources needed to implement, use, or even maintain any given software solution, you would be missing a critical component in the evaluation process. Any software or tool is only as good as the person using it, regardless of how expensive or cutting edge it may be.
Each software implemented, outside of the standard ‘install and forget’ type, requires planning, reviews, training, and maintenance to be effective. Given the state of most IT and Cybersecurity teams, there is likely not enough hours to go around to properly execute the necessary tasks needed to meet the above requirements. Implementation and maintenance requirements will vary based on the type of software, but it will always be present and should be factored into the overall cost of the solution being considered.
The second category is, of course, the employees of the organization. Not all tools will solely reside in the domain of the IT or Security teams and may be rolled out to broad swathes of the organization. As anyone who works in cybersecurity knows, we walk a careful line between security and functionality. The software we pick, therefore, must be secure enough without being overly complex or burdensome. Any solution must be ‘right-sized’ to the institution, both in cost and effectiveness, but also in adoptability. If staff refuse to, or are unable to, use the new tool it serves very little purpose in the overall mission of security.
Instead of prioritizing software, it is recommended to focus first on user training on key security issues and on the acceptable use of technology. Part of this training should include active testing such as phishing campaigns or other social engineering endeavors. Focusing on employee training has been seen to lead to a far higher return security-wise when compared to equivalent software solutions.
When to use software
To be clear, it is not being argued that organizations shouldn’t use any software. In order to have a fully mature and functional security program, there are several critical components that any organization should adopt. Specific requirements will vary per organization, industry, and regulatory requirements, but a general list of ‘must-haves’ is:
- SIEM software
- End-point protection software
- Vulnerability scanning software
- Mobile Device Management (MDM) software (as needed)
- Backup software
- Encryption technology
The above list is far from exhaustive but gives an idea of what organizations should prioritize when it comes to adoption.
While software is an essential component of security programs, it should not be the first thing to target when building a program. The most important step is to develop a strategy. To put it simply, a security strategy is the process of identifying the current state of the organization and its desired state. The strategy is a roadmap outlining where the organization is planning to go and how they will get there. This would include conducting a risk assessment, establishing a risk tolerance, and selecting a framework.
Once the strategy is developed, the necessary steps to reach the desired goal become much clearer. This is the stage where software review and selection processes would come into play.
Software is a cornerstone of a well-founded security program, but it must be used strategically. For organizations looking to build a security program from scratch, emphasis should first be given to defining the overarching security strategy, followed by the people who make up the company. Only once these are established and understood should software be considered. To build a truly effective security program all components must work in concert to achieve the end goal. Should any one component fail to mesh with the others, the only result will be a discordant and frustrating program that serves neither to secure the organization or assist it in its mission.
Any system that does not serve to further the goal of the organization it is a part of, only exists for as long as it takes to excise it. Unity and cooperation are the hallmarks of a mature and robust security program, which includes the tools used by, and proposed by, the security team.