Skip to main content

Security in 2019: Getting Ahead of the Game

February 07, 2019

Shifting from a reactive to a proactive approach means working closer with the business.

The year 2018 was not much different than recent years in the world of security: Several massive security incidents at large companies and government agencies exposed tens if not hundreds of millions of customer accounts. Breaches of this scope affect customer trust and long-term viability. While we can’t prevent all incidents, we can change our approach so that security isn’t an ongoing game of crisis management. 

According to a Gartner press release, "Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc."*

What’s needed is a shift in risk management practices—from reactive to proactive and from a security-centric to a business-centric view.

Before internet-based businesses exploded in growth, it was fairly standard practice to create a “set it and forget it” security strategy. Security teams, if they existed, didn’t interact much with the business – until there was a problem, of course. Annual assessments were the norm, as was patching, monitoring and buying tools in an ad hoc manner. 

Randomly adding more tools and people to security organizations without evidence-based thinking behind the decision doesn’t help mitigate risk. To complicate matters, IT infrastructure is continuously evolving in step with cloud computing trends, creating new gaps and requirements. 

Security teams seem to be in a constant state of catch-up. They are spending too much time identifying and reacting to both internal and external threats instead of looking for root causes that could reduce risk and improve posture over time. Teams must cover both compliance and incident management, so it’s hard to know exactly what’s most important to the business. Optiv Security research from 2018 shows that 78% of organizations assessed scored low on their overall security strategy, and 82% scored low to medium in aligning business objectives with security programs. This leaves much at risk as the attack surface broadens to include more apps, connected devices and Internet of Things (IoT) technologies. 

A New Way

Instead of operating reactively, companies can improve this picture by working closely with business counterparts. Consider these ideas to shift your thinking:

  1. Reach out to line-of-business stakeholders, the CFO and head of marketing so that security teams can gain clarity on business priorities, goals and criticality of applications. This knowledge will help align business goals with security goals. 
  2. Communicate in business language that connects with your stakeholders, rather than using technical terms such as intrusion detection. 
  3. Find out what assets if compromised could result in the most damaging business consequences, and then recommend the appropriate countermeasures. 
  4. Create an updated inventory of the company’s attack surface, including applications, devices and data. Without that bird’s eye view, it’s difficult to quickly identify and resolve incidents much less develop a business-centric strategy. This requires an ongoing assessment of the current environment to ensure that controls and asset inventory are not out of date.
  5. Invest in skills training—the ones that matter now. Threat management, detection and threat analysis were identified as top training needs in a 2017 survey by AT&T .
  6. Connect security practices to core business processes since data is the lifeblood of most organizations. Imagine if the hospitality industry only assessed risk to food quality on an annual basis? 

Security’s role as a back-office activity focused on compliance and troubleshooting is no longer serving the business. By creating a fluid strategy in lockstep with business stakeholders, cybersecurity organizations can deliver a powerful platform from which the business can both increase compliance and grow customer trust and revenues. Let’s map the risk (r)evolution.

 

Essentials@Optiv, a service provided by Optiv Security assesses, diagnoses and optimizes your organization’s security programs for business alignment based on your organization’s specific needs. Learn more here about this flexible approach to security.

*Gartner Press Release, "Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019", August 15, 2018. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartnerforecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019


    Dustin Owens

By: Dustin Owens

VP and GM, Risk and Compliance Advisory

See More

Related Blogs

December 20, 2018

Let’s Not Talk About the Past

With the year quickly coming to a close, the web is full of blogs titled, “A Look Back at 2018,” and “2018: A Post-Mortem.” We’ve decided to give you ...

See Details

December 13, 2018

Tales from Trenches: What’s on Your Shelf?

Don’t you hate it when you forget something? Like when you take your kids on a hike and forget a snack, or take your dog for a walk and forget those-o...

See Details

November 29, 2018

It’s 2018. Password Journals are Still a Thing.

I was in a store the other day and saw something that, being in cyber security, stopped me fast: A Password Journal. Seriously. A place to write down ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.