Choosing the right security products to suit your business is a serious problem. The risk of being compromised is real, and there is a lot at stake. The cybersecurity landscape has changed significantly in the past decade. This book puts that into context and explains why modern challenges require next-generation tools.
However, this book is not simply a discussion of trends; it will provide you with a methodology to help you execute the product evaluation process. Starting with mapping your business needs, we explain step-by-step how you should determine those needs and what solutions would work best for you.
Then we break down success criteria validation, looking in detail at drivers from the perspectives of business management, security needs, and operational requirements. The interplay of these drivers must be carefully managed to achieve a good product fit.
A walkthrough of the evaluation process follows, with practical tips on where to start, pitfalls to avoid, and how to create success criteria that suit your business. There are detailed checklists in the appendices that will further support this process.
Finally, we close with a head-to-head discussion between the authors, one who approaches the issue of security tool evaluation from the perspective of a vendor and the other who addresses the process from a CISO’s point-of view. We hope that the resulting discussion adds some enlightening points and provides an enjoyable close to the book.
Section 1: The Modern Challenges of Securing the Enterprise
How cybersecurity evolved
Cybersecurity technology has become increasingly sophisticated over the last decade. Tools for securing the enterprise are faster and stronger and, as processing speeds have increased, it has become possible to crunch far more data and even apply machine learning to get smart about threat identification.
Life would be simple if just one side were getting stronger in this battle. Unfortunately, that isn’t the case, as threats are evolving too. First, because today’s attack surface is larger than ever. More devices are inter-connected and sharing data – not just PCs but printers, air-conditioning systems, speakers, lights and even vending machines. Many of these devices are often developed with security as an afterthought. The Internet of Things (IoT) means that this problem will increase. Add to that the rise of Bring-Your-Own-Device (BYOD) and security experts often find themselves trying to secure a flood of employee devices in addition to those of the enterprise.
Second, cybercriminals have access to the same advanced technologies as security experts, and that increases their chance of exploiting vulnerabilities in this broad range of targets. It’s relatively trivial for them to try more and more attacks in the hope that just one succeeds. On the other side of the fence, just one failure by a security team can mean disaster. Ethical hackers, researchers, and developers work hard to identify weak points and secure them, but attackers share tools, techniques, and information. In many ways, they collaborate more effectively than security specialists!
Finally, on top of all this are regulatory concerns around privacy and data security. The arrival of the European Union’s General Data Protection Regulation (GDPR) in 2018 added complexity to securing data and managing breaches, and the California Consumer Privacy Act (CCPA) is set to bring similar concerns to the U.S.
While all this has been going on, security has broken free of its old home in the IT department. A majority of firms now have dedicated cybersecurity experts, and almost every company now considers security to be “everyone’s responsibility,” rather than just confined to IT. In practice that means staff should be careful about what emails they open, the files they download and should refrain from installing their own apps and running ‘shadow IT.’ However successful that is, dedicated security professionals are needed more than ever to assess threats and manage the tools used to tackle them.
Managing risk requires an adaptive and agile security culture, one that binds process, technology, and people together in a way that is effective and that allows the organization to act smarter. Having the right security products in place is essential, of course, but when it comes to adding to your arsenal, how do you know that what you are buying will be effective and worthwhile?
Achieving a mature security culture means embedding the risk and security teams in the process of evaluating products, vendors, and services. A typical procurement process might not be sufficient. Comparing specifications takes time and expertise, and different vendors sometimes use the same terms to mean different things. Is the latest innovation from your usual vendor actually new or is it a rebranded version of existing technology? Is the new bit of kit from a vendor you haven’t used before actually capable of doing all that it promises?
Factoring into this is cost. Are you buying a security solution outright or does it require a subscription? What’s practical and affordable depends on the available budget. EMA’s Security Megatrends 2019 report found that, although IT budgets have been increasing across sectors, there are still some industries that lag, especially manufacturing, healthcare, pharma and medical.
These verticals have been lagging behind other sectors for years, which makes them a target for attackers. Worse, personal health records are especially sought-after and trade for a high price because they can be used for a broad range of crimes, from acquiring new credit cards, making fraudulent purchases or full identity theft. Manufacturing is a similarly tempting target for industrial espionage. Without sufficient budget to tackle every threat, it’s vital to thoroughly evaluate every new product to get the most out of your money.
Typically, thorough planning and assessment will lead to a better evaluation of expected risks in decisions related to adopting new technology. We must understand the use case and our users, validate our resources (both in terms of personnel and infrastructure) and capacity, and expect the unexpected.
Furthermore, it is imperative that we shift our cybersecurity strategy from outright prevention, which is unrealistic given the modern threat landscape, to implementing techniques that quickly detect breaches and limit the damage once a violation is confirmed. Resilience and recovery will become differentiators. Intuitive tool sets can go a long way to speeding up that process.