So many vendors, so little budget. Security departments are constantly tasked to know how to properly allocate funds to staffing, resources, tools, solutions, software, vendors, third-party contractors, and more. Even an unlimited budget wouldn’t help as security departments can find themselves bloated with software or vendors, leading to an inefficiently run department.
We spoke to Mark Butler, CISO of MegaplanIT, to understand how security departments, with small and large budgets, can manage their spending effectively when considering new vendors or solutions.
Establish Your Framework
Butler’s most important advice was to establish a security framework for your organisation. You can start off by adopting existing frameworks provided by ISO, Cloud Security Alliance or other associations who have developed frameworks for organisations that match your organisation’s specific considerations such as industry and department maturity.
When developing a framework, here are a couple of questions Butler advises to start with.
- What am I detecting? Preventing? Responding to?
- What in my organisation is at risk?
- What is my industry and how does that affect my risk and threats I should be aware of?
- What type of revenue, assets, or information am I trying to protect?
- What is the makeup of my organisation? My security department?
Answering these questions will help you understand what you’re trying to secure. Some organisations will require physical asset protection while others will require IP
protection. Additional framework considerations include an organisation’s revenue stream, supply chain and third parties, business model and more.
Having a framework in place improves effective decision-making when considering new vendors or solutions as your organisation grows and its needs increase. The framework would also help you highlight security gaps or deficiencies so if your budget were to increase, you’d know where to allocate that money effectively.
Butler notes that the right framework should hold true, regardless of size or budget. “Whether you’re a 5 or 500 person team with a large or small budget, you’ll have similar type of tools….tackling the same type of risk”
The major differences between tools and vendors by budget is that organisations with a smaller budget can rely on open-source tools while large-budget orgs can invest in enterprise and more specialised products. However, even these tools, despite the differences in price, have their pros and cons.
Fortunately, the considerations making up these frameworks are built to scale.
Ask the Right Questions
When you’re ready to shop around for vendors, your previously-established framework should provide a benchmark you can assess vendors against. “If I want to invest further in tools, people, or processes,” Butler explains, “they need to be evaluated within a given set of capabilities. What type of bucket does this solution fall into? Is it a prevention tool? Detection tool that improves response time or is it a response tool? They should be assessed from a technical, threat, and risk standpoint.”
These considerations are essential for making sure your budget is being spent on the most effective tools that will make a positive impact on your organisation. It will also help you find the right vendors that will either cover a new area of defense as they come up in the security world or replace legacy vendors that are no longer effective or applicable.
Avoid Spending and Vendor Pitfalls
When asked what common pitfalls organisations usually fall into, Butler points to older, legacy solutions. “Ultimately, tools that were deployed 5-10 years ago aren’t what they used to be from a security stack standpoint,” Butler explains. “Cloud-based tools, next-gen variations of tools, AI-based tools, and tools based on network traffic are very much needed now.”
Butler also mentions that tools focused on signatures, point-in-time information, and static analysis aren’t as helpful anymore because of how an organisation’s environment has changes. For example, network intrusion detection analysis tools, despite being commonly required for compliance, doesn’t provide the security benefit it used to because it often doesn’t look at encrypted traffic.
When considering your current security technology stack, Butler recommends you review why each vendor and solution was purchased in the first place, what the tool’s current use case and value is, and what the roadmap for the tool is. This will help you understand whether the tool will be updated for more contemporary use cases by the manufacturer or whether you should look for a better tool or a broad-reaching tool that will subsume a lot of your current tool’s responsibilities. Often, endpoint solutions are the ones that require the most scrutiny because the threat landscape and endpoint threats are most subject to change.
Of course, one of the biggest problems an organisation faces is spending on tools that don’t fit an organisation. This can be due to a lack of dedicated resources but it also may be a tool that doesn’t provide a benefit given the organisation’s security objectives. The problem with having partially implemented tools doesn’t get solved by partially implementing more tools.
This is why establishing a framework is extremely important.
Making a Choice: Fundamental Tools, Single-Point Solutions, and New Solutions
While developing a framework is fundamental here, it is a long-term endeavor so we wanted to look at ways to approach vendors and tools if you’re considering single-point solutions, just getting your department off the ground, or looking for solutions that defend against a new threat.
Starting With the Fundamentals
Butler encourages organisations to start investing in threat detection tools before moving on to prevention tools and response tools as their security department matures. Detection tools should focus on:
- Network security
- Endpoint security
- Server security
- Identity & account management
- Application security scanning
- Web & email filtering
- Content management
Prevention tools include next-gen firewalls, endpoint detection, and sandboxing applications for various channels. As your organisation matures, Butler encourages more proactive methods and tools such as honeynets and honeypots, canary accounts, and publishing fake data to see who is targeting your organisation and where your data is being sold.
Single-Point Vendors and Solutions
Butler recommends that stand-alone tools should be utilised if there’s “dedicated staffing or manual reporting” to support and track metrics. He also mentions that most organisations tend to prefer a more simplified security stack, which is why end-to-end security solutions look so attractive.
However, when evaluating single-point solutions against a broad-reaching solution, you should always consider real use cases and situations tied to your organisation’s specific needs.
Evaluating New Vendors in 2019
While new threats and attacks should always be expected, Butler affirms that a framework goes a long way in helping you find the right solutions. Most attacks and threats, whether new or old, exploit fundamental and core vulnerabilities within an organisation. By aligning any new investments in the year to your framework and finding ways to improve the maturity of your security department, your organisation will be more than equipped to face new threats in the coming year.