Security in 2019: Getting Ahead of the Game
February 07, 2019
Shifting from a reactive to a proactive approach means working closer with the business.
The year 2018 was not much different than recent years in the world of security: Several massive security incidents at large companies and government agencies exposed tens if not hundreds of millions of customer accounts. Breaches of this scope affect customer trust and long-term viability. While we can’t prevent all incidents, we can change our approach so that security isn’t an ongoing game of crisis management.
The issue isn’t underinvestment: Gartner forecasted a 12.4% increase in spending on cybersecurity in 2018 and an 8.7% increase in 2019. What’s needed is a shift in risk management practices—from reactive to proactive and from a security-centric to a business-centric view.
Before internet-based businesses exploded in growth, it was fairly standard practice to create a “set it and forget it” security strategy. Security teams, if they existed, didn’t interact much with the business – until there was a problem, of course. Annual assessments were the norm, as was patching, monitoring and buying tools in an ad hoc manner.
Randomly adding more tools and people to security organizations without evidence-based thinking behind the decision doesn’t help mitigate risk. To complicate matters, IT infrastructure is continuously evolving in step with cloud computing trends, creating new gaps and requirements.
Security teams seem to be in a constant state of catch-up. They are spending too much time identifying and reacting to both internal and external threats instead of looking for root causes that could reduce risk and improve posture over time. Teams must cover both compliance and incident management, so it’s hard to know exactly what’s most important to the business. Optiv Security research from 2018 shows that 78% of organizations assessed scored low on their overall security strategy, and 82% scored low to medium in aligning business objectives with security programs. This leaves much at risk as the attack surface broadens to include more apps, connected devices and Internet of Things (IoT) technologies.
A New Way
Instead of operating reactively, companies can improve this picture by working closely with business counterparts. Consider these ideas to shift your thinking:
- Reach out to line-of-business stakeholders, the CFO and head of marketing so that security teams can gain clarity on business priorities, goals and criticality of applications. This knowledge will help align business goals with security goals.
- Communicate in business language that connects with your stakeholders, rather than using technical terms such as intrusion detection.
- Find out what assets if compromised could result in the most damaging business consequences, and then recommend the appropriate countermeasures.
- Create an updated inventory of the company’s attack surface, including applications, devices and data. Without that bird’s eye view, it’s difficult to quickly identify and resolve incidents much less develop a business-centric strategy. This requires an ongoing assessment of the current environment to ensure that controls and asset inventory are not out of date.
- Invest in skills training—the ones that matter now. Threat management, detection and threat analysis were identified as top training needs in a 2017 survey by AT&T .
- Connect security practices to core business processes since data is the lifeblood of most organizations. Imagine if the hospitality industry only assessed risk to food quality on an annual basis?
Security’s role as a back-office activity focused on compliance and troubleshooting is no longer serving the business. By creating a fluid strategy in lockstep with business stakeholders, cybersecurity organizations can deliver a powerful platform from which the business can both increase compliance and grow customer trust and revenues. Let’s map the risk (r)evolution.
Essentials@Optiv, a service provided by Optiv Security assesses, diagnoses and optimizes your organization’s security programs for business alignment based on your organization’s specific needs. Learn more here about this flexible approach to security.