Sergey Nivens - Fotolia
Are new cybersecurity products the best investment for enterprises?
Having the latest cybersecurity products isn't always the best way to approach security. Expert Mike O. Villegas explains why and how to deal with pressure to buy new.
A recent report from Trustwave, the "2016 Security Pressures Report", found that IT managers feel pressured to buy new cybersecurity products even if they or their staff don't have the right skills to implement the technology. How can managers push back on this pressure? Or should they buy the new technology and get the training to implement it properly?
The 2016 Trustwave report found that 74% of the 1,400 IT/security professional respondents felt pressured to select the latest cybersecurity products, while 31% lacked the resources to properly adopt, deploy and use them. The survey does not say where the pressures are coming from or what new cybersecurity products are referred to, but it does state that the majority of respondents (54%) listed detection of vulnerabilities, malware, malicious activity or compromises as their most pressure-inducing security responsibilities.
Given the threats listed, the cybersecurity products in question appear to focus on SIEMs, FIMs, NGFWs, IPS/IDS, DLP, MDM, MFA and antivirus/antimalware software. These technologies continue to improve in scope, scalability, coverage and manageability but commensurately so do the skills required to use them.
The pressure to use the latest cybersecurity products likely comes from upper management, industry best practices, emerging technologies and perceived risk levels. But before succumbing to these pressures, security professionals need to realistically look over their situation and do three things:
- Perform a security risk assessment to identify mission critical applications, sensitive and confidential data, the business impact if the technology is not available due to errors or breaches, threats to critical assets and applications, and the effectiveness of the design of controls over these assets;
- Perform a skills inventory of the staff to determine whether the products being considered or already in place are properly used; and
- Determine whether to focus on building internal capabilities or outsource to a managed service provider.
Asking how managers can push back on these pressures is the wrong question. It's better not to push back on pressures but to instead focus on planning, proposing, deploying and maintaining the most effective cybersecurity products.
- Make security plans based on risk assessments, a skills inventory and whether security services are outsourced or kept in-house. Plans should also be based on a proven cybersecurity framework;
- Propose the security plan to executive management for approval and funding;
- Deploy the approved technology and information security program. This includes eliminating shelfware and upgrading to current tools; and
- Maintain the program through security monitoring, updating to current patches, testing controls, staying compliant and remediating any issues. This includes building staff skill levels if the security program is kept in-house.
This is an iterative process. As the enterprise expands, protection levels may also grow. Security professionals should not allow pressures for new cybersecurity products to drive what they need and what they know is right for the enterprise.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out when it's time to change your cybersecurity products
Learn how security vendor hacks affect enterprises
Discover how a risk assessment on a third-party vendor can improve security
Dig Deeper on Security operations and management
Related Q&A from Mike O. Villegas
Best practices for reporting ransomware attacks
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
What should be included in a social media security policy?
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
Can CISOs facilitate peace between privacy and information security?
Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get ... Continue Reading